Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft for OTP login #725

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

Draft for OTP login #725

wants to merge 11 commits into from

Conversation

sergioisidoro
Copy link

@sergioisidoro sergioisidoro commented Apr 22, 2023
edited
Loading

As mentioned in #724 -- I had a bit of fun drafting this.

Requirements considered.

  • We should have a human readable token that can be sent via SMS or Email, and copied manually to an App
    • There should be a sufficient mitigation against brute force, by only allowing redeeming short tokens with the same data that requested it (eg. passing the same email / phone number that requested it while redeeming) - This should be configurable to False if desired (discouraged) Short tokens can never be standalone, otherwise we risk DDoS due to resource exhaustion.
  • We should have a long token that is redeemable as standalone, so that it can be included in "Magic links" like Mobile app deep links. This is to ensure email and phone numbers do not need to be passed in the request URL parameters.
    • The link may be completely different from the django app, (eg. with app deep links like my-app://login/<token>), so it shall not be tied to the general django settings for domain and protocol.
  • Tokens should be configurable to be redeemable more than once, to mitigate link trackers and certain email clients that follow and crawl links in the email
  • Token length, and token characters to be fully customisable
  • Follow the overall structure and infrastructure of this repo as much as possible (Configurable serialisers, Configurable permissions, etc)
  • When a user Exchanges the OTP token for an Auth token, user will be automatically marked as active, since they just followed a link from SMS or email.
  • Allow automatic registration via OTP
    • Setting to automatically register a user that requests a OTP.
    • Automatically generate usernames (configurable, and using Abstract user field configs), for the cases when usernames are mandatory
    • Other mandatory fields - here be dragons.
  • Serialisers should reuse as much of field logic as possible. Eg. if we use django-phonenumber-field's PhoneNumberField, the validation logic should be as reused in the serialiser as possible, through the use of Model serialisers.

Todos

  • Does not yet send SMS, that's the developer responsibility at the moment so not to create dependencies with certain providers

How to test:

Request code

curl --request POST \
  --url http://localhost:8000/passwordless/request/email/ \
  --data '{
	"email": "[email protected]"
      }'

Redeem standalone code

curl --request POST \
  --url http://localhost:8000/passwordless/exchange/ \
  --data '{
	"token": "8yfk3cphkpaf6k68abw82ogn8sdyw5b4uay662d874z07iqsnaw6o7w8lbvf3kta"
      }'

Or redeem Short code, that must include the original request data.

curl --request POST \
  --url http://localhost:8000/passwordless/exchange/ \
  --data '{
	"email": "[email protected]",
	"token": "286826"
     }'

@sergioisidoro sergioisidoro mentioned this pull request Apr 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@S-code652 S-code652 S-code652 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sergioisidoro @S-code652