kucherenko / strapi-plugin-passwordless

A plugin for Strapi Headless CMS that provides ability to sign-in/sign-up to an application by link had sent to email.
MIT License
77 stars 26 forks source link

Documentation or example frontend for passwordless authentication flow #32

Open EugeneDraitsev opened 9 months ago

EugeneDraitsev commented 9 months ago

Hi!

I have a question on the Frontend part of passwordless out. The API works great, I get emails with the correct token and can use it to get the correct jwt-token!

However, I don't quite understand how to use it with Strapi (v4) as there is now no way to customize the default strapi login page and no way to display a custom button + input to request email with passwordless link. I also don't really understand how to handle the redirect, as there is no documentation about custom pages in strapi where I can control the redirect logic.

Do you have any examples or frontend documentation for a passwordless authentication flow for strapi?

kucherenko commented 9 months ago

thank you for the ticket, will add examples

EugeneDraitsev commented 9 months ago

Thank you for the fast response! It would be really great to see some examples!

I made some workaround and created static login and redirect-callback pages, but I was not able use passwordless token as token for admin panel for some reason.

I receive a loginToken in my email, I can get jwtToken from /api/passwordless/login endpoint, but when I try to use this jwtToken with Stapi Admin Panel (set it in session storage) or with Strapi API (/admin/users/me) I get an error:

{
    "data": null,
    "error": {
        "status": 401,
        "name": "UnauthorizedError",
        "message": "Missing or invalid credentials",
        "details": {}
    }
}

I also tried to renew this token with admin/renew-token endpoint, but still got almost the same error:

{
    "data": null,
    "error": {
        "status": 400,
        "name": "ValidationError",
        "message": "Invalid token",
        "details": {}
    }
}

It looks like I'm missing something, It would be really great if you can help me with it.

My Strapi and plugins versions:

    "@strapi/plugin-users-permissions": "4.20.2",
    "@strapi/provider-email-nodemailer": "^4.20.2",
    "@strapi/strapi": "4.20.2",
    "strapi-plugin-passwordless": "^4.0.15"

I run Strapi in docker with node:20-alpine and mysql:8-oracle

EugeneDraitsev commented 9 months ago

@kucherenko, I figured out why jwtToken doesn't work in the admin panel, and now I feel like I just don't really understand how this plugin works. I am trying to authorize stapi admin panel users using this plugin, but for some reason, if I create a user with the passwordless plugin, it creates the up_users table but doesn't exist in admin_users. I also can't send a login email to existing users emails (by the same reason, they exist in admin_users, but not in the up_users).

Is it by design of this plugin or maybe I'm still missing something? It would be really great if you help me to understand it!

kucherenko commented 9 months ago

@EugeneDraitsev yes, you are right, the plugin supports passwordless authentication for public users for sites powered by strapi, the admin panel of strapi has different ways to authenticate users

EugeneDraitsev commented 9 months ago

Oh, thank you for the clarification! It was not clear from the documentation, but now it all makes sense. Do you plan to add the ability to support authorization of admin users in the future?

kucherenko commented 9 months ago

I have plans to add authentification with Time-based One-time Password Algorithm first, after that will think about the request

EugeneDraitsev commented 9 months ago

Thank you for the sharing! I'll keep this ticket open to track its initial purpose: "Documentation or example of frontend flow"

mikehammond commented 7 months ago

@kucherenko Why is documentation for the passwordless plugin excluded in the register.js file? My only thinking right now will be a security concern but I am not quite convinced about that.