Let people unsubscribe from emails without logging in

[chrifro]

Problem:

• Currently, users need to login in before there are able to unsubscribe from emails. The unsubscribe link links to https://gitpod.io/notifications. Legally we must provide a way to unsubscribe within a single page [1].
• With the new newsletter widget, people that don't have a Gitpod account can also sign up for emails. They need to have an option to unsubscribe from emails as well.

Solution:
Creating an API where people can unsubscribe without logging in

Acceptance criteria:

• Create an "Unsubscribed successful" page on website
• Create a new API on the server
• Change links in the email campaigns to redirect to the new API

Note: changes in /notification are already automatically forwarded and updated in customer.io

Context:
customer.io docs
internal discussion

cc @jakobhero @atduarte

[csweichel]

/schedule

[JanKoehnlein]

/assign @laushinka

[chrifro]

Summary of the internal discussion:

Going forward we want to have two links in the email footer:

1. update preferences (users needs to log in -> link already exists, no action needed)
2. unsubscribe (user is automatically removed from the current mailing list and sees a "you have been successfully unsubscribed" page)

Next action:
create mockup @ChristinFrohne
technical implementation @laushinka

[chrifro]

The unsubscribe page can be a copy of the submitted contact form and would look similar to this:

[svenefftinge]

We can create a REST API on the server (e.g. /unsubscribe?userid=293z4h34r7334743d?type=newsletter) that would do the change and redirect to the "Unsubscribed" website page that Christin shared above.

That API wouldn't require a login, of course, so anyone can unsubscribe any user if they know the userid. I believe there's not a lot of harm done in that case and the user ids are not publicly visible.

@csweichel @leodido any concerns with such a simple approach from a security angle?

[csweichel]

A few thoughts on this:

1. Where does the userID come from? The user isn't logged in anymore, so how does the system know which userID to use? Would we send this as an unsubscribe link in the email?
2. userID's are not secret, i.e. we don't specifically protect them and there's a very good chance that we "leak" them somewhere. That said, if the "REST API" always redirects to the page and returns no user-specific information there would indeed be little harm done from an information leakage perspective. We should definitely monitor that endpoint closely from a call rate perspective and have an alert if it exceeds a sensible value (tbd).

[laushinka]

The unsubscribe page can be a copy of the submitted contact form and would look similar to this:

@ChristinFrohne PR done here