Open dereuromark opened 5 months ago
It looks like there are few components to a login flow like this:
Do we need storage for tokens? It seems like a signed token could contain the identifier, expiration time. If we wanted to support a limited number of token uses, we could store that data in a cache backend instead of requiring formal schema.
For the old auth component I built a token based system, that stores the token in DB It has the advantage of invalidation control - and shorter URLs :)
But for this kind of plugin here it seems the Symfony style with a hash and all params contained seems sufficient. This way no storage is needed, they are basically just valid then until expiration.
I'm biased to stateless tokens as they are simpler to get going and can offer the same level of security as stateful ones can (with some caching).
This issue is stale because it has been open for 120 days with no activity. Remove the stale
label or comment or this will be closed in 15 days
See https://symfony.com/doc/current/security/login_link.html
probably similar to the Token authenticate, but more stateful, and probably with a similar hashing algo. The database approach would be something that could be custom user land plugin.