Add ability to login with link send to email (passwordless login)

packages/strapi-plugin-users-permissions/admin/src/containers/Providers/utils/forms.js

@@ -17,9 +17,24 @@ const forms = {
           required: true,
         },
       },
+      {
+        autoFocus: true,
+        label: getTrad('PopUpForm.Providers.local.linkLogin.label'),
+        name: 'linkLogin',
+        type: 'bool',
+        description: getTrad('PopUpForm.Providers.local.linkLogin.description'),
+        size: { xs: 6 },
+        validations: {
+          required: true,
+        },
+      },
     ],
     schema: yup.object().shape({
       enabled: yup.bool().required(translatedErrors.required),
+      linkLogin: yup.bool().when('enabled', {
+        is: true,
+        then: yup.bool().required(translatedErrors.required),
+      }),
     }),
   },
   providers: {

packages/strapi-plugin-users-permissions/admin/src/translations/en.json

@@ -14,6 +14,7 @@
   "EditForm.inputToggle.label.email-reset-password": "Reset password page",
   "EditForm.inputToggle.label.sign-up": "Enable sign-ups",
   "Email.template.email_confirmation": "Email address confirmation",
+  "Email.template.email_login": "Login with link to email",
   "Email.template.reset_password": "Reset password",
   "HeaderNav.link.advancedSettings": "Advanced settings",
   "HeaderNav.link.emailTemplates": "Email Templates",
@@ -44,6 +45,8 @@
   "PopUpForm.Email.options.response_email.label": "Response email",
   "PopUpForm.Email.options.response_email.placeholder": "kai@doe.com",
   "PopUpForm.Providers.enabled.description": "If disabled, users won't be able to use this provider.",
+  "PopUpForm.Providers.local.linkLogin.label": "Login link",
+  "PopUpForm.Providers.local.linkLogin.description": "If enabled user can login with link send to email.",
   "PopUpForm.Providers.enabled.label": "Enable",
   "PopUpForm.Providers.key.label": "Client ID",
   "PopUpForm.Providers.key.placeholder": "TEXT",

packages/strapi-plugin-users-permissions/config/functions/bootstrap.js

@@ -23,6 +23,7 @@ module.exports = async () => {
     email: {
       enabled: true,
       icon: 'envelope',
+      linkLogin: true,
     },
     discord: {
       enabled: false,
@@ -181,6 +182,25 @@ module.exports = async () => {
 
 <p><%= URL %>?confirmation=<%= CODE %></p>
 
+<p>Thanks.</p>`,
+        },
+      },
+      email_login: {
+        display: 'Email.template.email_login',
+        icon: 'check-square',
+        options: {
+          from: {
+            name: 'Administration Panel',
+            email: 'no-reply@strapi.io',
+          },
+          response_email: '',
+          object: 'Login link',
+          message: `<p>Hi!</p>
+
+<p>Please click on the link below to login on the site.</p>
+
+<p><%= URL %>?loginToken=<%= CODE %></p>
+
 <p>Thanks.</p>`,
         },
       },

packages/strapi-plugin-users-permissions/config/routes.json

@@ -272,6 +272,34 @@
         }
       }
     },
+    {
+      "method": "GET",
+      "path": "/auth/login-link",
+      "handler": "Auth.loginLink",
+      "config": {
+        "policies": [],
+        "prefix": "",
+        "description": "Login a user with one time password",
+        "tag": {
+          "plugin": "users-permissions",
+          "name": "User"
+        }
+      }
+    },
+    {
+      "method": "POST",
+      "path": "/auth/send-login-link",
+      "handler": "Auth.sendLoginLink",
+      "config": {
+        "policies": [],
+        "prefix": "",
+        "description": "Send an email to user with login link",
+        "tag": {
+          "plugin": "users-permissions",
+          "name": "User"
+        }
+      }
+    },
     {
       "method": "GET",
       "path": "/auth/email-confirmation",

packages/strapi-plugin-users-permissions/controllers/Auth.js

@@ -597,4 +597,63 @@ module.exports = {
       return ctx.badRequest(null, err);
     }
   },
+
+  async loginLink(ctx) {
+    const { loginToken } = ctx.query;
+
+    const { user: userService, jwt: jwtService } = strapi.plugins['users-permissions'].services;
+
+    if (_.isEmpty(loginToken)) {
+      return ctx.badRequest('token.invalid');
+    }
+
+    const user = await userService.fetch({ loginToken }, []);
+
+    if (!user) {
+      return ctx.badRequest('token.invalid');
+    }
+
+    await userService.edit({ id: user.id }, { loginToken: null });
+
+    ctx.send({
+      jwt: jwtService.issue({ id: user.id }),
+      user: sanitizeEntity(user, {
+        model: strapi.query('user', 'users-permissions').model,
+      }),
+    });
+  },
+
+  async sendLoginLink(ctx) {
+    const params = _.assign(ctx.request.body);
+
+    if (!params.email) {
+      return ctx.badRequest('missing.email');
+    }
+
+    const isEmail = emailRegExp.test(params.email);
+
+    if (isEmail) {
+      params.email = params.email.toLowerCase();
+    } else {
+      return ctx.badRequest('wrong.email');
+    }
+
+    const user = await strapi.query('user', 'users-permissions').findOne({
+      email: params.email,
+    });
+
+    if (user.blocked) {
+      return ctx.badRequest('blocked.user');
+    }
+
+    try {
+      await strapi.plugins['users-permissions'].services.user.sendLoginLink(user);
+      ctx.send({
+        email: user.email,
+        sent: true,
+      });
+    } catch (err) {
+      return ctx.badRequest(null, err);
+    }
+  },
 };

packages/strapi-plugin-users-permissions/documentation/1.0.0/overrides/users-permissions-User.json

@@ -53,6 +53,53 @@
         "security": []
       }
     },
+    "/auth/login-link": {
+      "get": {
+        "tags": ["Authentication"],
+        "security": []
+      }
+    },
+    "/auth/send-login-link": {
+      "post": {
+        "security": [],
+        "externalDocs": {
+          "description": "Find out more in the strapi's documentation",
+          "url": "https://strapi.io/documentation/developer-docs/latest/development/plugins/users-permissions.html#login-link"
+        },
+        "responses": {
+          "200": {
+            "description": "Successfully sent email",
+            "content": {
+              "application/json": {
+                "email": {
+                  "type": "string"
+                },
+                "sent": {
+                  "type": "boolean"
+                }
+              }
+            }
+          }
+        },
+        "requestBody": {
+          "description": "",
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "required": ["email"],
+                "properties": {
+                  "email": {
+                    "type": "string",
+                    "minLength": 6
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/auth/send-email-confirmation": {
       "post": {
         "security": [],

packages/strapi-plugin-users-permissions/models/User.config.js

@@ -8,6 +8,9 @@ module.exports = {
     confirmationToken: {
       hidden: true,
     },
+    loginToken: {
+      hidden: true,
+    },
     provider: {
       hidden: true,
     },

packages/strapi-plugin-users-permissions/models/User.settings.json

@@ -42,6 +42,11 @@
       "configurable": false,
       "private": true
     },
+    "loginToken": {
+      "type": "string",
+      "configurable": false,
+      "private": true
+    },
     "confirmed": {
       "type": "boolean",
       "default": false,

packages/strapi-plugin-users-permissions/services/User.js

@@ -164,4 +164,46 @@ module.exports = {
       html: settings.message,
     });
   },
+
+  async sendLoginLink(user) {
+    const userPermissionService = strapi.plugins['users-permissions'].services.userspermissions;
+    const pluginStore = await strapi.store({
+      environment: '',
+      type: 'plugin',
+      name: 'users-permissions',
+    });
+
+    const settings = await pluginStore
+      .get({ key: 'email' })
+      .then(storeEmail => storeEmail['email_login'].options);
+
+    const userInfo = sanitizeEntity(user, {
+      model: strapi.query('user', 'users-permissions').model,
+    });
+
+    const loginToken = crypto.randomBytes(20).toString('hex');
+
+    await this.edit({ id: user.id }, { loginToken });
+
+    settings.message = await userPermissionService.template(settings.message, {
+      URL: `${getAbsoluteServerUrl(strapi.config)}/auth/login-link`,
+      USER: userInfo,
+      CODE: loginToken,
+    });
+
+    settings.object = await userPermissionService.template(settings.object, { USER: userInfo });
+
+    // Send an email to the user.
+    await strapi.plugins['email'].services.email.send({
+      to: user.email,
+      from:
+        settings.from.email && settings.from.name
+          ? `${settings.from.name} <${settings.from.email}>`
+          : undefined,
+      replyTo: settings.response_email,
+      subject: settings.object,
+      text: settings.message,
+      html: settings.message,
+    });
+  },
 };