Second device login?

Question

Second device login?

Closed this issue 3 years ago · 5 comments

csterritt commented 3 years ago

Hi -- first, thanks for doing devise-passwordless! It's a cool thing, and seems to work.

I have a use case that doesn't appear to work:

I'd like to bring up the page on device 1, on which I don't have email.
I'd like to put in my email, and get a link emailed to me.
I'd like to read the email, and click the link, on device 2 which does have email.
I'd like the session on device 1 to the be validated. It's fine if it's valid for device 2 as well.

Any clues appreciated -- Thanks!

Answer 1 · 2021-08-09T22:23:33.000Z

That sounds like an interesting UX. Obviously the gem isn't built to accommodate that at the moment.

Off the cuff I think you could accomplish something like that by having the Rails server store some kind of nonce session value (think SecureRandom.base58(50)) on Device 1's cookie when Device 1 initiates the login request, and attach that nonce value to the link that gets generated and emailed. Device 1 would then busy poll an endpoint that will convert its cookie into a logged-in cookie (Devise's sign_in helper) when Device 2 visits the magic link.

Maybe there's an easier way I'm not thinking of but that's one way. You'd want to be careful your busy wait endpoint isn't vulnerable to timing attacks or things of that nature

Answer 2 · 2021-08-09T22:36:50.000Z

Thanks @abevoelker! Good ideas. I think I may try implementing my own ideas; I don't need all the "weight" of Devise for this, as it's a (very) simple application. And, yeah, I think I'll just have it say, "Refresh this page once you've clicked the email link" to avoid a busy-wait.

Up to you if you want to close this.

Answer 3 · 2021-08-10T14:12:24.000Z

For the record, this was inspired by a web exercise app, that let me log in to (for example) a smart-TV browser that I didn't have email set up on (nor would I want to). I also don't have email set up on my tablet.

Answer 4 · 2021-08-10T14:33:40.000Z

@csterritt Got it, yeah that use case makes perfect sense then. If you don't want the full weight of Devise but want something a little more useful than session variables, you could write a Warden strategy (Devise is built on top of Warden if you didn't know). Devise requires Rails but Warden works with any Rack app. I found this RailsConf video to be a useful primer on Warden when writing this gem if you go that route.

Closing this for now since it doesn't pertain to the gem. Good luck to you on your project

Answer 5 · 2021-08-10T14:36:12.000Z

Thanks Abe! I'll give that a look.

…

On Tue, Aug 10, 2021 at 10:33 AM Abe Voelker ***@***.***> wrote: @csterritt <https://github.com/csterritt> Got it, yeah that use case makes perfect sense then. If you don't want the full weight of Devise but want something a little more useful than session variables, you could write a Warden strategy <https://github.com/wardencommunity/warden/wiki/Strategies> (Devise is built on top of Warden if you didn't know). Devise requires Rails but Warden works with any Rack app. I found this RailsConf video <https://www.youtube.com/watch?v=QBJ3G40fxHg> to be a useful primer on Warden when writing this gem if you go that route. Closing this for now since it doesn't pertain to the gem. Good luck to you on your project — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAJIHMGDXJ6CCDS376352DT4E2E7ANCNFSM5BWZ5YQA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .