Approval via email

[wsw70]

I have just discovered windmill and it looks awesome ❤️

As I was thinking about how to develop a few flows (I was considering Airflow before) and one of the ones I do not know how to approach is a general "approval by email".

The idea would be to use the SMPT integration to send emails with two links: approve and deny. Clicking on these links would call a webhook that would update a workflow step. (EDIT: I specifically do not want to have the approvers to go to Windmill to perform the approval on the web interface, I need the links in the email to directly trigger an approval or a deny).

First of all: is this the right approach, generally speaking (especially the webhook part)

Then, the webhook would need to be called with a unique token that can identify and confirm the source (so it is impossible to spoof the approver). What do you think is the right way to handle this?

• have an ad-hoc endpoint created for each of the approvals (and a call to that endpoint would trigger an approved/denied)?
• or have a common "approval" endpoint with its own logic, which would further change the state of an approval action (but this requires quite a sophisticated database setup)?
• or something else?
• or a built-in mechanism?

[HugoCasa]

Hi, Windmill has a built-in mechanism for approval steps: https://www.windmill.dev/docs/flows/flow_approval
Here's an example script you can adapt for SMTP: https://hub.windmill.dev/scripts/gmail/1397/suspend%2Fresume-a-flow-by-sending-approval-url-via-email-gmail

[wsw70]

Thank you for your answer @HugoCasa

Windmill has a built-in mechanism for approval steps: https://www.windmill.dev/docs/flows/flow_approval

I saw that one as one of the possible actions.

Here's an example script you can adapt for SMTP: https://hub.windmill.dev/scripts/gmail/1397/suspend%2Fresume-a-flow-by-sending-approval-url-via-email-gmail

This was a solution I did not want to use. I should have made it explicit in the question (which I will do).

The thing is that I do not want to redirect the recipients to Windmill to perform their approval (for various reasons, some very good, some less good). I need to have the link in the email to trigger the approval/deny on its own, without further intervention. Thus the idea of the webhook, and especially the possibility to use a built-in solution to handle this, as opposed to writing the engine myself (a database that would get populated with the requests IDs, and then updated with the approval/denial)

[rubenfiszel]

you only need to slightly modify the script to have access to the direct url to approve it:

Line 43:

const { approvalPage } = await getResumeUrls(to_email);

const { resume } = await getResumeUrls(to_email);

and send the resume url instead. It works with both POST and GET. We do not recommend doing this because most email provider will check the urls and thus trigger the approval

[wsw70]

you only need to slightly modify the script to have access to the direct url to approve it:

Fantastic, thank you. I will try this out.

and send the resume url instead. It works with both POST and GET. We do not recommend doing this because most email provider will check the urls and thus trigger the approval

This is a good point - and it has already surfaced with other similar cases (even for basic "an email was sent with a link to confirm ..." that got checked in the background, confirming something not intended to be confirmed). This triggered a change of the email security provider because the other one could not prevent that.