Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Magic link sign-in flow (password-free logins) [Feature Request] #4724
Magic Links are becoming an increasingly popular approach to logging in, thanks in part to Slack.
In a Magic Link login flow, a user is emailed (or texted!) a link to automatically log into their account by email, removing the need to remember a complex password. From a UX standpoint, the experience excellent. Adding support for Magic Links through Devise would give Ruby on Rails in general a powerful leg up over other frameworks and authentication libraries.
A secure solution / proposal for how it could be added:
Since Devise already has comprehensive support for unlocking an account via an
While the 'magic link' mechanism is great from a UX point of view, I have yet to see an implementation that is not trading security for ease of use. With that said, I'm hesitant to see this implemented in the devise core, since devise takes security very seriously and is expected to do so.
At one point, pre 3.1 iirc, confirmation tokens (and password resets too?) allowed the user to login. This was seen as a security and risk since it would mean that simply having a confirmation token would allow a user to circumvent the auth process. For a full write up, see http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
@cross-p6 Thank you for sharing this. However, I don't believe what you posted invalidates this approach for handling magic links.
The write-up then explains how confirmation tokens could become a security issue (my emphasis added):
From this write up... we can see the security concerns are not that automatic logins via email are inherently dangerous... but rather, that automatic login links via email are dangerous if sent while in the context of a user changing their email address. The danger being that the user could mistakenly give someone else access to their account in a confirm-your-email confirmation email if they made a typo while in the process of changing their account's email address.
For confirmation links sent right after changing an email address, this is a valid security concern, and no doubt one that Devise was right to patch up. But it's not a security concern relevant for a magic login link, which are sent when the connection between a user and their email address is unambiguous (especially if a user has confirmed their email address).
In such cases, magic links would be no more dangerous than Devise's default out-of-the-box configuration for password resets, where it's assumed that anyone who can prove ownership of an email address, and ownership of a token recently-generated for that email, is someone we can trust.