-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Settings Option for more Secure Login URL over 6 Digit Token #13
Comments
I had originally written something like this (which is why the base token is an abstract class) but removed it because it wasn't totally up to snuff. I think something like this is still valuable. I'd originally stored some 32 random bytes in the DB as an alternate token, but reusing the 6-digit token as a hash is an interesting way to not need to create another table. Since tokens expire after 15 minutes it should be secure enough especially with some salt. I'd imagine validation behaves the same way– What do you mean by unhashing though? |
I think this project would benefit from the ability to send in the 6 digit token OR to send in a URL to the email or phone number provided to provide login access.
The URL would be generated with to send the user to a correct URL hosted on a production domain's frontend application. The URL would be generated by salting + hashing the six digit token. This hashed value (primitive example below) could then be taken in by the login endpoint. The login view would unhash the token and if correct, return the correct token to be added to the user's cookies.
The unhashing could also be completed in the front end application and no endpoint would need to be changed, however I think this is less than ideal.
The text was updated successfully, but these errors were encountered: