FIXED: Token authentication changes

We’ve had an option to allow users to RSVP for events by clicking on a link in their email that contains a special token that identifies them. This has been very convenient and is a well-liked feature. This token did not log the user in however - it just allowed them to RSVP. For example, you couldn’t use this token to RSVP and then visit your dashboard. When you went to your dashboard you were prompted to login.

The new shopping cart has pushed this solution to the edge, and I’ve been re-thinking it. I would like to change the token authentication so that instead of providing limited access it simply logs the user in and gives them full access (based on their privileges, of course).

Many sites (slack, twitter, others) allow this type of login. I think it will be a convenience that will be appreciated, but it requires one change that is important to understand: all users will need to have a login.

In the past it was possible to add a user without creating a user account (ie. username and password). If we go this route, this will no longer be the case.

In my mind, this is an improvement. You lose a lot of value from TT if you don’t let adults log in to the system.

Let me know what you think.



My first thought is a concern about security. E-Mail is not the most secure medium of communication, although it has gotten better over the years, but by sending a token via e-mail that just logs you in if that e-mail is intercepted by someone else then they have full access to that person’s TT account.
We do have parents that never bother actually logging into TT and fully creating their account, what happens in that case?

I agree with Aaron about the security.

We have parents that copy the link or forward the email to others from RSVPs or signup sheets. I would have concerns that they inadvertently give full access for the account to others.

If I understand this correctly, I as an admin would not be able to add a new member to the roster without having that new member create an account first.

If this is the case then I STRONGLY would advise against this.

We use our TroopTrack to manage everything for every person on the roster. Even for people who do not have an account because they never access it. This is true for some of our adult committee members and our charter organization representative. This is also true for usually one parent of a Scout. (typically I have one parent who does have an account and one parent who does not for whatever reason.)

We can not lose the ability to add new members freely. Please do not go down that path. It would hurt our organization’s member management and record keeping incredibly.

@JustinWeaver You wouldn’t have to wait for them to create an account first, that’s not what I mean. In terms of the process for adding members, nothing would really change. Behind the scenes we would be creating a user account object in the database.

@sct @AaronStorey I discussed the idea of the token logging people in fully, and we agreed it’s not a good idea for the same reasons you mention. We aren’t comfortable with a user charging a credit card based on that token either. I think we are going to allow users to RSVP with the token, but will ask them to log in when they get to the cart.

1 Like

If there are cases of events that don’t have fees, then the token RSVP is great, and nothing else is required. It just has to be known that if there is a fee associated with the event they will be required to login to complete that transaction.

What happens in the case where the event requires the fee to RSVP would they even be given the option to RSVP from a token in the e-mail?

Original thinking: They would be able to do everything up until the cart. Then they would need to log in. I’m open to other things.

I think it will be easier to show you what I am seeing when we screen share this evening. Plus I should really get back to work. LOL

i think that is the best. that is usually how most ecomm sites work. add things to the shopping cart, then sign up to checkout

1 Like

Okay, so if users are RSVP’ing to a free event, the token will work all the way through, but if they need to go through their cart they will need to log in. I think that sounds reasonable.

1 Like

Okay, it’s live. Users must now log in to check out.

1 Like