Open Nonononoki opened 10 months ago
Currently the only way to differentiate a user that uses email and one that uses social login in their password (is null on social login). A new column must be added to the user table when removing the password column.
CAPTCHAs should still used be used in the contact form to prevent spam.
I am against this feature, at least as long as it is obligatory. When using password managers, a password is much more convenient than a mail link I have top click each each time.
Optional is fine though.
Simply solved by patched SecurityConfig.java on my Alovoa fork (see branch cf-full-featured): I delegated that requirement to my private OpenID/Connect provider (Keycloak). On my test environment Alovoa users can use their credentials also for a Matrix server (Synapse + Element) as a true single sign-on solution.
Also see #291
BTW: If s.o. does not know Keycloak, it is an open source OpenID/Connect identity provider solution. Official Docker image is available.
Description: When logging in using email, the user now requests an OTP instead of entering their password. The OTP is sent via email.
Benefits: User does not need to remember their password. OTP is much harder to crack than a static password. No more CAPTCHAs :)
Downsides: Reliance on mail server. If it ever crashes users won't be able to login anymore.
TODO: Remove password field from user. Remove all CAPCHA and their handling. Remove password related classes and services (like resetting). Add OTP table in DB and change authentication. OTP should be randomly generated alphanumeric characters with the length of 9(?) User OTP data should be cleared once user logs in or after 10 minutes. Also adjust authentication in alovoa-expo.
Note: Password based authentication should still be around for a while (not web frontend) for a transition period.