[FEAT]: Implement Magic Link Endpoint

[masterchief-Dave]

Description:

Implement magic link authentication for password less login. This feature will generate a unique token which is time-limited when a user requests login.

Acceptance Criteria:

• [ ] The endpoint should return a 422 Unprocessable Entity if no email is provided in the body of the request.
• [ ] The endpoint should return 400 Bad Request if the email is not a valid email address.
• [ ] The client will make a POST request through a secure channel to api/v1/magic-link and pass a valid email in the body of the request.
• [ ] The server will check if the user exists in the database
  • If the user is not found then the user is requested to create an account and the request terminates.
• [ ] The backend will send a time-based token to the user's email address.
• [ ] The email will contain the token as well as information regarding the expiration of the token.
• [ ] If the user clicks on the token after it has expired a 400 Bad Request error should be sent to the client with the message message: Invalid token.
• [ ] If the client clicks on the token within the timeframe (before the token expires) then the backend will verify the token if it is legitimate.
  • It the token is legitimate then the backend processes the user request.
  • If the token is not legitimate 400 Bad Request error is sent and the client is redirected to the login page.
• [ ] If the user exists in the database:
  • If the user exists then the database is updated where necessary.
  • Server sends a redirect URL to the client and also sets the appropriate cookies in the response to the client afterwards the client is logged in

Expected Outcome:

• [ ] The user should be logged in if authentication is successful.
• [ ] The user should be redirected to the login page if authentication failed.

Requirements:

• Provide api documentation on how to request a magic link and use it for login.
• Implement functionality to validate user request body
• Create endpoint for sending magic link.
• Implement functionality to generate secure token.
• Implement functionality to send the send email with the token and information regarding the expiration.
• Create endpoint for authenticating magic link.
  • If the token is valid; Implement functionality to send appropriate response as well redirect URL.
  • If the token is in-valid; implement functionality to send appropriate error response.
• Implement rate-limiting to avoid abuse
• Ensure the user can always request and use magic links.
• Write tests to validate functionality and endpoints.

Endpoints:

• Magic link generation Endpoint
  • Description: Generate magic link and send to the client's email service
  • Endpoint: POST /api/v1/auth/magic-link
  • Request body: email: user@email.com
  • Input validation:
    • Validate the user's input if no email address was provided 422
    • Validate the email address if it is valid 400
• Input validation error Response:

  {
  "message": "Unprocessable entity",
  "status_code": 422
  }

  {
  "message": "Bad Request",
  "status_code": 400
  }

  • User not found in database:

    "message": "Please create an account",
    "status_code": 404

  • OK Response:

    {
    "message": "Sign-in token sent to user@email.com",
    "status_code": 200,
    }

• Magic link authentication Endpoint
  • Description: Validate and authenticate the token sent from client
  • Endpoint: GET /api/v1/auth/magic-auth?token={token}
  • Request body: ``
  • Validate the user token
  • If the token is valid send appropriate cookie to the client and login the user 200
  • If the token is invalid or has expired send 400 to the client
  • Invalid token response:

    {
    "message": "Invalid Token", 
    "status_code": 400 
    }

    Response Header: Authorization: Bearer {access_token} Set-Cookie Header: Set-Cookie: refreshToken={refresh_token}; HttpOnly; Secure; Path=/; Max-Age:3600

    "message": "OK",
    "status_code": 200,
    "data": {
    "user":  {
    "id": "123",
    "email": "user@email.com",
    "firstName": "user", 
    "lastName": "user_lastname"
    }
    "token": "{access-token}"
    }

• Rate-Limiting

  "message": "Too many requests, please try again later after {} minutes",
  "status_code": 429

• Server Error

  {
  "message": "Server Error",
  "status_code": 500
  }

Test

The Endpoint should:

• It should throw an error for invalid token.
• It should validate the token and return user information.
• It should throw not found error for non-existing user.
• It should generate magic link for existing users.
• It should generate an access token for a valid user ID

[AdeGneus]

Refactor this