Roundup Tracker - Issues

Message7932

Author rouilj
Recipients rouilj
Date 2024-01-12.01:14:40
Message-id <1705022080.56.0.548339748247.issue2551313@roundup.psfhosted.org>
In-reply-to 
https://workos.com/blog/a-guide-to-magic-links

Similar to forgot password recovery email.

Basic flow (* marks admin settings for configuration):

  user requests magic link login with username (or email) (* setting both, email, username)
  roundup action receives request and generates:
      url to ?@action=magic_link&key=long_random_string_64+_chars
    session db stores long_random_string_64+_chars as key with value blob:
         username=username
         optionally store random cookie "magic_link"="random nonce" different from
            one in magic link url. Expiration on cookie 2x link timeout
            (* setting enable magic_link cookie)
         timeout= now+10 minutes  (* 10 minutes)

  notification page to user include magic_link cookie nonce. It reports to user that
    magic link was sent to their email address. Remind them to check
    spam folder if they don't see it. Also tell them that magic link should be
    opened in the same browser if magic_link cookie set.

    If username was used to request link, use masking when reporting primary address,
      or use alternate message: "magic link sent to primary email address for username".
      E.G. user@example.com gets masked as as __er@exa____.c__.  (* email address for
      username: none -> alternate message, masked)

    If email address is given to login, don't mask the email address.

    If the email address or username is not found, report the email address or
       some masked username and dummy domain as though it had been found. Basically
       don't let magic link request be used to guess usernames/email addresses.

  when url is triggered code:
         looks up long_random_string_64+_chars
         verifies that current time is < timeout
         if "magic_link" cookie is in use, verifies that request has the cookie set and
            match random string.
      if both verifications pass, log user in and generate session cookie.
      if any verification doesn't pass notify user the magic link is invalid
      if the value reports that the magic link token has been used, notify user
         it has been used and to notify the tracker admin.
 
      Invalidate the data associated with the long_random_string_64+_chars and
        set lifetime to 1 hour so use of consumed magic token is recorded for 1 hour
        to let user know something has gone wrong. (* lifetime setting???)

Additional concerns:

   use ssl based smtp channel to prevent man in the middle (mitigated
      by magic_link cookie that requires url be opened on same browser used to request
      the magic link email/url; also notification that link has been intercepted/used).
History
Date User Action Args
2024-01-12 01:14:40rouiljsetrecipients: + rouilj
2024-01-12 01:14:40rouiljsetmessageid: <1705022080.56.0.548339748247.issue2551313@roundup.psfhosted.org>
2024-01-12 01:14:40rouiljlinkissue2551313 messages
2024-01-12 01:14:40rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020