-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
I wrote a Rails plugin for magic links at https://github.com/rocketshipio/nopassword that doesn’t suffer from many of the problems I’m seeing in the comments.
The big thing is I only use a 6 digit numerical code that people have to copy and paste or type into the browser which they’re authenticating. I looked at stuffing a token into a URL, but it’s not a good idea because the email client may try opening the link to preview it or it may try opening the link in the wrong app/browser, such as an in-app browser.
That may sound super insecure, but the 6 digit code is half the secret that’s needed to authenticate. The browser that the person is using to login has a much longer complex secret that must be included with the code. Additionally, this combination must be authenticated within a set number of attempts, 3 by default, within a certain timeframe, 5 minutes by default.
My motivations for creating this, instead of using something like devise with passwords, is because I have seen soooooo many non-technical people get tripped up by passwords. I know there’s sign-in with Google, MS, etc. via OAuth, but I wanted to give people a way to login to web applications without being under the watchful eye of bug tech.
Another issue that I don't see covered here is that some email clients (looking at you, Outlook) pre-fetch links to see if they are security risks. If you build a magic link system which handles plain old GETs, the one time code gets used up before the user can actually log in.
We ran into this at FusionAuth and had to do implement some workarounds, documented here: https://github.com/FusionAuth/fusionauth-issues/issues/629#i...
Edit: https://news.ycombinator.com/item?id=32081192 mentions some other issues.
You should take this nopassword repo down. It's a good example of why you shouldn't "roll your own" in InfoSec, and it would honestly make me skeptical of any of your other security work. It looks like you may not be using it for anything sensitive, but I'm worried that someone else might try to.
As an alternative, there are many hosted services (e.g. Auth0) that are well-regarded, and I'm sure there are some self-hosted options. There seems to be at least one way to do magic links on top of Keyclock[1].
1. https://github.com/p2-inc/keycloak-magic-link
I haven't used it in a while, but it sounds like Auth0 [https://auth0.com/] is what you're looking for.