search

pow-auth / pow

Robust, modular, and extendable user authentication system
https://powauth.com
MIT License
1.61k stars 160 forks source link

Does Pow have a place for passwordless authentication? #298

Open CrowdHailer opened 5 years ago

CrowdHailer commented 5 years ago

This is a fairly open ended question so I understand the conclusion might be that this is outside the scope of Pow.

We are working on a passwordless (device based) authentication solution. It's very early stages, (currently we are delivering it as a paid service, but even that might change over time) there is an example implementation over at https://forgetpasswords.com/ And I am looking at how to make it work better for Elixir projects.

Does it make sense to look to integrate this as an option/extension for Pow? It seems that several things that Pow offers would be useful, like integration with the Plug session and Phoenix error handler. However it might be that the assumption of a username/password combo is central to Pow and so I would be better off implementing a separate library.

danschultzer commented 5 years ago

Yeah, this is the last piece missing in the Pow core: #6

After auth flow can be set easily then I believe the Pow core is feature complete. Personally I think WebAuthn is the future of web auth, and I’ll be happy when we can finally kill memorized secrets (and probably user id). Hardware based auth will be much better.

There is PowAssent for multi provider auth though: https://github.com/danschultzer/pow_assent

Tmw commented 4 years ago

Hey @danschultzer i have a question related to this ticket;

We're using Pow in combination with PowAssent to enable authorisation exclusively using social providers (Google and Apple) possible and we choose to not use the pow_user_fields() macro to avoid having password-related fields in our schema. This worked up until version 1.0.17 where the's a compile time check in place to ensure all the required fields are present.

Is there a possibility to work around the check to not have an unused password_hash field in our database schema? Or is there another route you'd recommend?

danschultzer commented 4 years ago

@Tmw Good question. I would either remove use Pow.Ecto.Schema or delete :pow_fields module attribute, depending what works better for your case.

Remove use Pow.Ecto.Schema

You have to add pow_user_id_field /0 method since it's used by Pow to figure out the user id field. Also remember all changesets needed.

defmodule MyApp.Users.User do
  @moduledoc false
  use Ecto.Schema

  @behaviour Pow.Ecto.Schema
  @behaviour PowAssent.Ecto.Schema

  schema "users" do
    has_many :user_identities, MyApp.UserIdentities.UserIdentity, on_delete: :delete_all

    field :email, :string, null: false

    timestamps()
  end

  def pow_user_id_field, do: :email

  def changeset(user_or_changeset, attrs) do
    # ...
  end

  def user_identity_changeset(user_or_changeset, user_identity, attrs, user_id_attrs) do
    PowAssent.Ecto.Schema.changeset(user_or_changeset, user_identity, attrs, user_id_attrs, [])
  end
end

Delete:pow_fields module attribute

This will simply ignore all fields added by Pow. It's fine to do as you don't use pow_user_fields/0 anyway:

defmodule MyApp.Users.User do
  @moduledoc false
  use Ecto.Schema
  use Pow.Ecto.Schema
  use PowAssent.Ecto.Schema

  # Explicitly remove `:pow_fields` used for adding and validating Pow fields
  Module.delete_attribute(__MODULE__, :pow_fields)

  schema "users" do
    has_many :user_identities, MyApp.UserIdentities.UserIdentity, on_delete: :delete_all

    field :email, :string, null: false

    timestamps()
  end
end

This definitely should be changed so it's easy to disable password for the user. This goes in hand with #6 where you might use WebAuthn, magic link, etc for auth instead of a password.

Tmw commented 4 years ago

Wow! thank you for your extensive answer! I went for option two (Module.delete_attribute) and it definitively does the trick! 🙌