Hi,
We have a request to ensure that a portal link cannot be reused and that it cannot be accessed outside of the site that embedds the portal links. The client is concerned that the URL will be exposed and that a nefarious actor could use the URL to create cases using the same portal link.
From my research I found that we can use a Web API can expose an encrypted URL using a!urlForPortal (source: https://docs.appian.com/suite/help/24.1/url-parameters.html#linking-from-an-external-website), but the client says this won't solve the problem because a person could still grab the encrypted URL and reuse it.
I realize portals are for anonymous users, but the client is asking about this regardless.
Any suggestions would be helpful.
Discussion posts and replies are publicly visible
Then you need to make sure that this link can only be used once. Encrypted URL parameters are the way to go. For generated links, you will have to track usage in the database.
This is accurate. To add onto it: there is no method for making sure a portal URL, once generated, can only be used from within a specific website. However, if you generate using encrypted URLs and add the app behavior Stefan is suggesting to prevent using a URL twice, you'll have effectively achieved what you want.
Stefan Helzle John Rogers Can you further elaborate? The goal is to expire a URL but I don't think us having the URL tracked in the DB does much for us. The user can still save the URL and paste it later for future use and it will work.
Assuming your user is expected to take some sort of action on the portal site, then at the same time a unique identifier for that portal "instance" (which you'd invent at creation time and pass into it using URL parameters), would be written to the database as having been "used". When the portal first loads, it would query that same database and make sure its "instance" identifier is not yet marked as "used", otherwise it would display a blank page / warning message / severe scolding / etc. At least, that's the simplest way I can think of doing this off the top of my head.
Yep, this is about how'd I do it, too - mark the URL as used in the same write/process that happens when the form submits (or whatever action the user is supposed to take).
You could also make a time-expiring URL by capturing the timestamp when the identifier is created, and then when evaluating the URL checking that timestamp to see if the URL is still valid.
Mike Schmitt John Rogers Ok that makes sense. We can leverage a parameter from the encrypted URL that acts as some sort of session id that's tracked in the database whenever a new URL is generated, update that session id for that particular record. That way if the user refers to an older URL, the session ids wont match and we can display an interface letting the user know the URL has been expired. Thanks you all!