Settings Option for more Secure Login URL over 6 Digit Token

[djstein]

I think this project would benefit from the ability to send in the 6 digit token OR to send in a URL to the email or phone number provided to provide login access.

The URL would be generated with to send the user to a correct URL hosted on a production domain's frontend application. The URL would be generated by salting + hashing the six digit token. This hashed value (primitive example below) could then be taken in by the login endpoint. The login view would unhash the token and if correct, return the correct token to be added to the user's cookies.

The unhashing could also be completed in the front end application and no endpoint would need to be changed, however I think this is less than ideal.

# This is incomplete. It would be required to also add a salt (setting's password?)
import hashlib
hashlib.sha256(B"123456").hexdigest()
'8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'

[aaronn]

I had originally written something like this (which is why the base token is an abstract class) but removed it because it wasn't totally up to snuff. I think something like this is still valuable.

I'd originally stored some 32 random bytes in the DB as an alternate token, but reusing the 6-digit token as a hash is an interesting way to not need to create another table. Since tokens expire after 15 minutes it should be secure enough especially with some salt.

I'd imagine validation behaves the same way– POST or maybe GET query string to some endpoint like /callback/verify/ just checks for a known active token.

What do you mean by unhashing though?