magic link only auth #3856
Comments
|
Can you please elaborate -- what exactly is meant with "close but not similar"? |
|
@pennersr apologies I should have been clearer, for one, it uses code instead of just a link that you can click. I had to double-check and when I did I found this discussion: #1472 so it seems the decision is deliberate, I wonder if it's possible to make a magic link implementation on top of this? my thinking is to generate a URL to pass the login code there somehow and then automatically log the user in by reading the GET parameter? I am not sure the exact mechanisms nor whether it is possible or not. Some guidance would be helpful 🙏🏻 |
|
@hyusetiawan OAuthAccordig to OAuth, you can get email from use and then get code in email and user have to login with that code, but if you only want to click on link and login directly you can setup a custom flow with this in that api you will tell OAuth to send a link when user provide email and then user can click on the link and direct login. Another approach is using custom flow.I recently implemented magic logic link with OAuth but if you need to implement custom with django, use django I guess you understand that, that link will only be valid for some time and can be use as magic login. As an example here is simple demo code you can use for temporary link that can be use for from django.utils.encoding import force_str
from django.utils.encoding import force_bytes
from django.utils.http import urlsafe_base64_encode
from django.utils.http import urlsafe_base64_decode
from django.contrib.auth.tokens import PasswordResetTokenGenerator
class TokenGenerator:
def generate_token(self, user):
user_hash = f'{user.pk}|{user.username}|{user.email}|{user.is_active}'
uid_64 = urlsafe_base64_encode(force_bytes(user_hash))
account_activation_token = PasswordResetTokenGenerator()
token = PasswordResetTokenGenerator.make_token(self=account_activation_token, user=user)
tokenInfo = {
'uidb64': uid_64,
'token': token
}
return tokenInfo
def verify_token(self, user, token):
account_activation_token = PasswordResetTokenGenerator()
return PasswordResetTokenGenerator.check_token(self=account_activation_token, user=user, token=token)
def decode_uid(self, uidb64):
return force_str(urlsafe_base64_decode(uidb64))You can change - user_hash = f'{user.pk}|{user.username}|{user.email}|{user.is_active}'
+user_hash = f'{user.pk}|{user.your-custom-field-after-link-click}' Let me know if I understand wrong.. |
|
@deviserops you understood correctly actually, I understand that there will need to be some custom code. You are generating your own password token but django-allauth also generates a token of its own, I wonder if we can use the library as to implement magic link?
Wouldn't this replicate a magic link behavior using purely django all auth? |
|
Note that logging in by link comes with additional security caveats. Even Slack which was once using “Magic links” to login abandoned those. Issues:
So logging in by code instead of link is actually more secure. |
|
@hyusetiawan Also as @pennersr say's that it will be security concerns so is true. you have to make sure that link will send to only those who want to sign in, but this can also be compromised in some way. OAuth team does not recommend using magic link though. |
|
Given the concerns mentioned I prefer not to bring this in scope. |
Is it possible to have a magic link login? I saw that the config has:
ACCOUNT_LOGIN_BY_CODE_ENABLED
the behavior is close but not similar to the typical magic link login UX.
The text was updated successfully, but these errors were encountered: