search

iokiwi / moneyapp

Parsing OFX files for personal budgeting and financial insights
Mozilla Public License 2.0
3 stars 2 forks source link

Include phishing warning on magic signup link email #26

Closed iokiwi closed 1 year ago

iokiwi commented 1 year ago

Magic sign up link should warn people about clicking on signup links they didn't request. This should be as simple as modifying the text in the send_email method

https://github.com/iokiwi/moneyapp/blob/main/app/users/views.py#L30-L43

def send_email(user, link):
    """Send an email with this login link to this user."""
    user.email_user(
        subject="[django-sesame] Log in to our app",
        message=f"""\
        Hello,

        You requested that we send you a link to log in to our app:

            {link}

        Thank you for using django-sesame!
        """,
    )

Note that in Dev, we don't actually send email. Email will be printed to the console as configure by settings.py

EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"

https://github.com/iokiwi/moneyapp/blob/main/app/moneyapp/settings.py#L74

iokiwi commented 1 year ago

@ankitgadling you could pick this one up too

ankitgadling commented 1 year ago

can you please explain it in detail

iokiwi commented 1 year ago

Background

Yes. For this app we use Magic Links for signup / login instead of using a username and a password.

This makes life easy for us as we don't need to build 2fa or password reset or password security policies.

However, anyone who gets hold of a magic link, can use it to into your account (within 5 minutes - then the link expires). This is an attack vector for phishing and scamming.

A scammer who knows your email address and phone number might type your email address into the login form.

An email will get sent to your with a magic sign on link.

The attacker might then phone you up and ask you to send them that link - they will try to trick you or convince you that its important or that its safe to send them that link.

They might tell you they work for us, or they are a friend or a colleaguge, or law enforcement, or a financial guru who can make you rich if you give them access.

So we should make it explicitly clear to the user that they should NEVER share their magic link with ANYONE under ANY circumstances.

The Task

We should add information to the body of the email explaining to the user that:

  1. They should never show this link to anyone else
  2. The administrators of the project or website will never ask you to share your magic email link.

The body of the email is generated in the def send_email(user, link): function in https://github.com/iokiwi/moneyapp/blob/main/app/users/views.py

ankitgadling commented 1 year ago

I am available to work on the issue could you please assign me this issue

iokiwi commented 1 year ago

Let me know if you have any questions

ankitgadling commented 1 year ago

Hi @iokiwi I have added the warning in the body of email let me know if any changes are needed email warning

iokiwi commented 1 year ago

It's perfect. Raise a pr and I will merge it in the morning