Passwordless login

clarkwinkelmann

Passwordless login

This is a custom implementation of passwordless login for Flarum.

The login modal is turned into passwordless mode by default, but login via password is still possible via a link at the bottom of the modal.
Users are still able to set a password via the password change or password reset features.

By default login links are valid for 5 minutes.

The token present at the bottom of the email can also be used as a password until it expires.
This allows connecting into a different browser than the one that received the email.

Password becomes optional in the signup process and the password field is hidden by default.
A random password is generated when the field is left empty.

Installation

composer require clarkwinkelmann/flarum-ext-passwordless

Links

[deleted]

clarkwinkelmann pretty hard to not like this 😁

tankerkiller125

Any chance of doing something similar but with QR codes kind of like Discord does now?

[deleted]

tankerkiller125 Now that...is killer....great idea

clarkwinkelmann

tankerkiller125 with QR codes kind of like Discord does now

I have not seen that feature yet. Is it a passwordless login feature ?

[deleted]

clarkwinkelmann Yes, it is.

clarkwinkelmann

I'm not sure if anyone installed this already (Packagist lists two downloads, it might be just myself), but a few bug fixes were released already.

The latest 1.0.3 fixes the registration without password that wasn't working properly. No idea how I didn't encounter that error during my testing yesterday.

The previous bugfixes were problems in the mail layout.

matteocontrini

Hi,
is there a reason why passwordless signups have a random password automatically set?

What I understand from the code is that password validation is disabled to allow for a missing password, but the password is also overriden to be random: https://github.com/clarkwinkelmann/flarum-ext-passwordless/blob/a772005219b4005c8a4105c50e3f137093c90918/src/Listeners/DontRequirePasswordOnSignUp.php

Wouldn't it be perhaps better to leave the field empty, so that admins can then count how many users signed up using the passwordless feature?

Thanks!

tankerkiller125

matteocontrini A random password is probably set because without it someone could in theory login to a user just by simply entering the username and then hitting submit. You should be able to get a count of users by looking at the entries in login_providers

clarkwinkelmann

matteocontrini tankerkiller125 I can't remember the final reason why I did it like that. The comments from the two event listeners kind of contradict each other. The idea was that I had to generate a password that would pass the validation rules. But I also removed the validation rule below...

The blank password thing might be the explanation. If I simply allow a blank password in the validator, then the hash of a blank password would be saved, and it could be used for login. What we'd need is to store a blank password column, not the hash of a blank password. Maybe that line that sets the random password could be replaced with setting a raw empty value on the model password attribute.

The choice for the 20-character random password is just copied from social logins which do this for new users. I didn't want to re-invent the wheel seeing that strategy was already used elsewhere.

I'm happy to make the change if there's a solution to set the password column to an empty string instead.

matteocontrini

Thanks for the explanation.

tankerkiller125 You should be able to get a count of users by looking at the entries in login_providers

Are you sure? It doesn't seem that anything is modified in that table by this extension

tankerkiller125

matteocontrini Ah your right. Yeah my suggestion wouldn't work in this case

clarkwinkelmann

Version 1.1.0 has been released with Flarum beta 14 support.

This new version also removes the ability to request passwordless login by entering a username. Not sure why I allowed this in the first place... With username allowed this made it easy to spam a user with login requests if you know their username, and obviously you do on a forum.

clarkwinkelmann

Version 1.2.0 has been released with Flarum beta 15 support.

anthonyrossbach

I have no idea if it's this or Pretty-Mail by FoF but it always sends using the default template that Pretty-Mail comes with from the start, but all other emails and all templates in Pretty-Mail have been updated and changed...

clarkwinkelmann

anthonyrossbach this extension has its own HTML email template that looks a lot like the one provided in Pretty Mail (instead of a plain text email like most other extensions/flarum use). I'm not sure what happens if you try using the two extension together.

Ffuser1 there is no plan to have any kind of fingerprint feature in this extension at this time. If you have a suggestion for a library/service that can be used to implement it, don't hesitate to share. I don't see how it would make sense in this extension though, as fingerprint cannot be used for passwordless login as commonly defined (user provides identification only, gets one-time login code for authorization). It makes more sense as another alternate authentication factor, but probably cannot be achieved without operating system support.

Ffuser1

Fingerprint login will make this extension great on mobile devices.

anthonyrossbach

clarkwinkelmann Any way to edit the template or can you add a way to edit the template on the next update. It's the one thing that sticks out as everything has been redesigned on this install. I will leave it as is for now as it's still an amazing and helpful extension.

Thanks! 😊

clarkwinkelmann

anthonyrossbach I'm not seeing any easy way to do it.

If I use the "default" way to send emails in Flarum (text only), then Pretty Mail will probably be able to customize it, but that's at the cost of losing all custom style for the button that's included in the current version. Plus, I'm running this extension on some websites where I don't want to install Pretty Mail if I can avoid it.

If you want to customize the template, the best course of action is probably to fork the extension, or register a custom path to another folder for blade email template using the Flarum extender. This is a lot less work than whatever I would have to do to make the email customizable in the extension itself.

clarkwinkelmann

Released version 1.3.0 with Flarum beta 16 compatibility.