florianheinemann/passwordless

Direct API

Opened this issue · 2 comments

antonkarsten commented

We would like to use passwordless for authentication, but have a need to create and invalidate tokens directly from the node process that also runs the express server. In other words we would like to call the api without using the express middleware.

Besides the user being able to enter their email address and receiving a login link with a token, we would like to be able as an administrator to create the url for the user and send it to the email (without user intervention).

There is a function passwordless.requestToken but it should be used as express middleware.

I am also interested in the security implications of generating the links ahead of time for the user, as the creation of the token doesnt happen in real time (when the user actually has the intention to login).

Subsequently the administrator should be able to logout the user and invalidate the tokens. There is a function passwordless.logout, but as it looks like it only works through the express middleware.

@florianheinemann : I wouldnt mind making a PR for these features, but I wanted to just get your feedback on it before I start. Just so I dont create anything that cant be used or wont be merged.

thank you for any feedback

florianheinemann commented

Hey!

If I understand you correctly you want to use the regular library implementation (incl. express) but also have a second way outside of express to login / log out triggered by an admin. Is that correct? Am I also correct to assume that for the "regular" use case it's a normal website rather than e.g. a REST interface? If otherwise let me know as I might have some further thoughts in those cases

With regards to your questions:

  • if you really want to run it entirely outside express this will be the right way of doing it: #66
  • depending on your setup (and if you have express anyway set up for your regular use cases) it might be even easier to call requestToken as middleware on a special URL for admins? This could even be done without running a browser but by simply making a HTTPS call
  • in terms of security I see no issues. However think about where those clear text tokens will be stored before they are used! They are password equivalents! In passwordless' database they are fully hashed and salted and hence secure. Where will you store them and how long will they remain in clear? How many of those will be in one place in case you are breached? Those are questions you might want to reason about. Drop me a note if you want to further discuss
  1. do you want to invalidate the token or log the user out of the service? In the first case just call the appropriate API of the token store directly (invalidateUser). In the second case this should help: #51

Hope that helps!

Cheers

ajsharp commented

Separating out the token creation functionality from the request cycle stuff is useful and a good idea for lots of reasons. It makes the code easier to work with in general and it makes this library more testable. A problem I'm having currently is testing my api, and being able to create tokens in test setup functions. The way the library is set up currently makes it very hard to test.

This would be pretty easy to accomplish in a PR. It should just be a matter of exporting the token creation logic as it's own function.