Implement magic link authentication for password less login. This feature will generate a unique token which is time-limited when a user requests login.
Acceptance Criteria:
[ ] The endpoint should return a 422 Unprocessable Entity if no email is provided in the body of the request.
[ ] The endpoint should return 400 Bad Request if the email is not a valid email address.
[ ] The client will make a POST request through a secure channel to api/v1/magic-link and pass a valid email in the body of the request.
[ ] The server will check if the user exists in the database
If the user is not found then the user is requested to create an account and the request terminates.
[ ] The backend will send a time-based token to the user's email address.
[ ] The email will contain the token as well as information regarding the expiration of the token.
[ ] If the user clicks on the token after it has expired a 400 Bad Request error should be sent to the client with the message message: Invalid token.
[ ] If the client clicks on the token within the timeframe (before the token expires) then the backend will verify the token if it is legitimate.
It the token is legitimate then the backend processes the user request.
If the token is not legitimate 400 Bad Request error is sent and the client is redirected to the login page.
[ ] If the user exists in the database:
If the user exists then the database is updated where necessary.
Server sends a redirect URL to the client and also sets the appropriate cookies in the response to the client afterwards the client is logged in
Expected Outcome:
[ ] The user should be logged in if authentication is successful.
[ ] The user should be redirected to the login page if authentication failed.
Requirements:
Provide api documentation on how to request a magic link and use it for login.
Implement functionality to validate user request body
Create endpoint for sending magic link.
Implement functionality to generate secure token.
Implement functionality to send the send email with the token and information regarding the expiration.
Create endpoint for authenticating magic link.
If the token is valid; Implement functionality to send appropriate response as well redirect URL.
If the token is in-valid; implement functionality to send appropriate error response.
Implement rate-limiting to avoid abuse
Ensure the user can always request and use magic links.
Write tests to validate functionality and endpoints.
Endpoints:
Magic link generation Endpoint
Description: Generate magic link and send to the client's email service
Endpoint: POST /api/v1/auth/magic-link
Request body: email: user@email.com
Input validation:
Validate the user's input if no email address was provided 422
Description:
Implement magic link authentication for password less login. This feature will generate a unique token which is time-limited when a user requests login.
Acceptance Criteria:
422 Unprocessable Entity
if no email is provided in the body of the request.400 Bad Request
if the email is not a valid email address.POST
request through a secure channel toapi/v1/magic-link
and pass a validemail
in the body of the request.400 Bad Request
error should be sent to the client with the messagemessage: Invalid token
.400 Bad Request
error is sent and the client is redirected to the login page.Expected Outcome:
Requirements:
Endpoints:
POST /api/v1/auth/magic-link
email: user@email.com
422
400
GET /api/v1/auth/magic-auth?token={token}
200
400
to the clientResponse Header:
Authorization: Bearer {access_token}
Set-Cookie Header:Set-Cookie: refreshToken={refresh_token}; HttpOnly; Secure; Path=/; Max-Age:3600
Test
The Endpoint should: