florianheinemann / passwordless

node.js/express module to authenticate users without password
MIT License
1.95k stars 129 forks source link

Direct API #98

Open antonkarsten opened 7 years ago

antonkarsten commented 7 years ago

We would like to use passwordless for authentication, but have a need to create and invalidate tokens directly from the node process that also runs the express server. In other words we would like to call the api without using the express middleware.

1) Besides the user being able to enter their email address and receiving a login link with a token, we would like to be able as an administrator to create the url for the user and send it to the email (without user intervention).

There is a function passwordless.requestToken but it should be used as express middleware.

I am also interested in the security implications of generating the links ahead of time for the user, as the creation of the token doesnt happen in real time (when the user actually has the intention to login).

2) Subsequently the administrator should be able to logout the user and invalidate the tokens. There is a function passwordless.logout, but as it looks like it only works through the express middleware.

@florianheinemann : I wouldnt mind making a PR for these features, but I wanted to just get your feedback on it before I start. Just so I dont create anything that cant be used or wont be merged.

thank you for any feedback

florianheinemann commented 7 years ago

Hey!

If I understand you correctly you want to use the regular library implementation (incl. express) but also have a second way outside of express to login / log out triggered by an admin. Is that correct? Am I also correct to assume that for the "regular" use case it's a normal website rather than e.g. a REST interface? If otherwise let me know as I might have some further thoughts in those cases

With regards to your questions:

1)

2) do you want to invalidate the token or log the user out of the service? In the first case just call the appropriate API of the token store directly (invalidateUser). In the second case this should help: https://github.com/florianheinemann/passwordless/issues/51

Hope that helps!

Cheers

ajsharp commented 5 years ago

Separating out the token creation functionality from the request cycle stuff is useful and a good idea for lots of reasons. It makes the code easier to work with in general and it makes this library more testable. A problem I'm having currently is testing my api, and being able to create tokens in test setup functions. The way the library is set up currently makes it very hard to test.

This would be pretty easy to accomplish in a PR. It should just be a matter of exporting the token creation logic as it's own function.