Simple login by email via deep links containing a username

thoka · November 29, 2023, 12:25am

I would like to lower the hurdle to login in our school forum by the following procedure:

Links sent by mail to the (mostly non-public) forum should contain the username of the addressed user (like forum.my.tld/t/123#user=toka)
If a not logged-in user opens this link, a page offers to send a login link by clicking a button.
If clicked, a login with a login token should be sent to the user, which then allows them to open the target page without further interaction for a specific time. Otherwise, a “resend login link” button should be offered.

Has this already been implemented somewhere?

If not: which machinery exists, which could be used to implement it?

pfaffman · November 29, 2023, 10:32am

You want to use DiscourseConnect such that users logged in to your system are also logged into Discourse.

Setup DiscourseConnect - Official Single-Sign-On for Discourse (sso)

thoka · November 29, 2023, 10:03pm

There is no other system.
Most of the users use the forum only by mail.

sam · November 30, 2023, 1:14am

We already support login via email:

So automating/simplifying this is certainly feasible.

thoka · November 30, 2023, 10:21pm

Yes. This is our prominent way to log into the forum. But for a big part of the users, this seems to be too difficult.

In addition, we face the problem that some users use non-identical email addresses in their communication. For example, (at)gmail.com and (at)googlemail.com, or email addresses with or without added dots in the username. They do not remember which email address they once wrote on the paper (yes, sorry, it’s Germany) registration form and are either unaware of these problems or of the possibility to learn about their “login email address” by checking their mail headers.

Therefore, I am investigating a way that links sent to users allow users to log in without further knowledge of how to use the Discourse login procedure.

sam · November 30, 2023, 10:23pm

There is certainly a security risk, if you are comfortable to accept it, some automation that generates the links we generate when you try to log in via email, is certainly feasible, as long as they already have accounts.

thoka · November 30, 2023, 10:29pm

Hm. I tried to circumvent this in my proposal.
I understand that links which would log users in directly are dangerous.

But with the suggested mechanism, the only risk I see is users getting unwanted login links sent to them.

thoka · April 8, 2024, 7:34am

I have a first working implementation:

Now I’m trying to learn how to decorate all links to discourse in notifications with user information.

thoka · May 28, 2024, 9:35am

This feature is now implemented in

Where is the right place to ask for possibilities not to have to override core methods like

github.com

thoka/discourse-login-helper/blob/9fe18117c87139e3facf5673d55f5fce82258a52/assets/javascripts/discourse/initializers/login_helper.js#L10-L50


      
          EmailLoginController.reopen({
            actions: {
              finishLogin() {
                let data = {
                  second_factor_method: this.secondFactorMethod,
                  timezone: moment.tz.guess(),
                };
                if (this.securityKeyCredential) {
                  data.second_factor_token = this.securityKeyCredential;
                } else {
                  data.second_factor_token = this.secondFactorToken;
                }
          
                ajax({
                  url: `/session/email-login/${this.model.token}`,
                  type: "POST",
                  data,
                })
                .then((result) => {
                    if (result.success) {

This file has been truncated. show original

and

github.com

thoka/discourse-login-helper/blob/9fe18117c87139e3facf5673d55f5fce82258a52/plugin.rb#L146-L177


      
          module SessionControllerExtension
            def email_login
              # puts "🔵 email_login params: #{params.to_json}"
              token = params[:token]
              matched_token = EmailToken.confirmable(token, scope: EmailToken.scopes[:email_login])
              user = matched_token&.user
          
              check_local_login_allowed(user: user, check_login_via_email: true)
          
              rate_limit_second_factor!(user)
          
              if user.present? && !authenticate_second_factor(user).ok
                return render(json: @second_factor_failure_payload)
              end
          
              if user = EmailToken.confirm(token, scope: EmailToken.scopes[:email_login])
                if login_not_approved_for?(user)
                  return render json: login_not_approved
                elsif payload = login_error_check(user)
                  return render json: payload

This file has been truncated. show original

to redirect to a destination_url after login

github.com

thoka/discourse-login-helper/blob/9fe18117c87139e3facf5673d55f5fce82258a52/assets/javascripts/discourse/initializers/login_helper.js#L31-L32


      
          let destination = result.destination_url || "/";

?

Topic		Replies	Views
Generate an "email me a login link" URL Support	6	77	September 18, 2024
Login Helper Plugin Plugin email , login	5	352	May 28, 2024
Invite tokens without email? Feature invites	9	2440	June 3, 2022
How do i get the "with email" login option? Support	11	2460	November 6, 2018
Multiple users with a single email Support	7	1306	February 20, 2019

Simple login by email via deep links containing a username

Related Topics