Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Login with magic code #1818

Merged
merged 29 commits into from
Feb 4, 2025
+268 −52
Merged

Login with magic code #1818

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
2abe1cb
fix: cannot login with email on PWA
Soxasora Jan 14, 2025
e130705
adjust other email templates
Soxasora Jan 14, 2025
cfc01c5
restore manual url on new user email
Soxasora Jan 14, 2025
c357bc7
no padding on button section
Soxasora Jan 14, 2025
2f29f30
cleanup
Soxasora Jan 14, 2025
33bbdc3
generate 6-digit bechh32 token
Soxasora Jan 14, 2025
8fb7cdb
token needs to be fed as lower case; validator case insensitive
Soxasora Jan 15, 2025
7a0e794
delete token if user has failed 3 times
Soxasora Jan 16, 2025
3efa20d
proposal: context-independent error page
Soxasora Jan 16, 2025
841cd9a
include expiration time on email page message
Soxasora Jan 16, 2025
8d41679
add expiration time to emails
Soxasora Jan 16, 2025
c65e62b
independent checkPWA function
Soxasora Jan 16, 2025
e663b75
restore token deletion if successful auth
Soxasora Jan 16, 2025
5c26cd6
final cleanup: remove unused function
Soxasora Jan 16, 2025
0b6da66
compact useVerificationToken
Soxasora Jan 20, 2025
2ad5d04
email.js: magic code for non-PWA users
Soxasora Jan 21, 2025
6155eef
adjust email templates
Soxasora Jan 21, 2025
9658807
MultiInput component; magic code via MultiInput
Soxasora Jan 29, 2025
a8b8102
Merge branch 'master' into magic_login
Soxasora Jan 29, 2025
5c7e17f
hotfix: revert length testing; larger width for inputs
Soxasora Jan 29, 2025
33a9d47
Merge branch 'master' into magic_login
huumn Jan 30, 2025
908b70e
manual bech32 token generation; no upperCase
Soxasora Jan 30, 2025
4fa221b
reverting to string concatenation
Soxasora Jan 30, 2025
766ca22
layout tweaks, fix error placement
Soxasora Jan 30, 2025
b0b8a38
Merge branch 'master' into magic_login
huumn Jan 31, 2025
390f79b
pastable inputs
Soxasora Jan 31, 2025
8085a71
Merge branch 'master' into magic_login
huumn Feb 2, 2025
dd2e75c
small nit fixes
huumn Feb 3, 2025
6527e22
less ambiguous error path
huumn Feb 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion components/login.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ const authErrorMessages = {
OAuthCallback: 'Error handling OAuth response. Try again or choose a different method.',
OAuthCreateAccount: 'Could not create OAuth account. Try again or choose a different method.',
EmailCreateAccount: 'Could not create Email account. Try again or choose a different method.',
Callback: 'Error in callback handler. Try again or choose a different method.',
Callback: 'Try again or choose a different method.',
OAuthAccountNotLinked: 'This auth method is linked to another account. To link to this account first unlink the other account.',
EmailSignin: 'Failed to send email. Make sure you entered your email address correctly.',
CredentialsSignin: 'Auth failed. Try again or choose a different method.',
Expand Down
26 changes: 13 additions & 13 deletions pages/api/auth/[...nextauth].js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,14 +329,17 @@ export const getAuthOptions = (req, res) => ({
// we need to find the most recent verification request for this email/identifier
const verificationRequest = await prisma.verificationToken.findFirst({
where: {
identifier
identifier,
attempts: {
lt: 2 // count starts at 0
}
},
orderBy: {
createdAt: 'desc'
}
})

if (!verificationRequest) return null
Copy link
Member

@huumn huumn Feb 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This forces a redirect to the login page (my change that is) if all 3 attempts have been tried which lets us avoid a the "go back or login again" on the error page. Instead, the button on the error page just goes back in the browser history.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a way better UX, thanks!

if (!verificationRequest) throw new Error('No verification request found')

if (verificationRequest.token === token) { // if correct delete the token and continue
await prisma.verificationToken.delete({
Expand All @@ -345,17 +348,14 @@ export const getAuthOptions = (req, res) => ({
return verificationRequest
}

const newAttempts = verificationRequest.attempts + 1
if (newAttempts > 3) { // the moment the user has tried 3 times, delete the token
await prisma.verificationToken.delete({
where: { id: verificationRequest.id }
})
} else { // otherwise, just increment the failed attempts
await prisma.verificationToken.update({
where: { id: verificationRequest.id },
data: { attempts: newAttempts }
})
}
await prisma.verificationToken.update({
where: { id: verificationRequest.id },
data: { attempts: { increment: 1 } }
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your changes were perfectly fine, but the increment wasn't an atomic read-write; it read from the db in one tx, then updated it in another. While it's still possible with my fixes for someone to get more than 3 attempts in quick succession, this makes it a little less likely.

Ideally, this code would not have any races at all, but it's a bit tricky because identifier isn't unique. We could wrap it all in a transaction and do an optimistic lock, or make it seriallizable, but our attempt limit is so low they won't get many more attempts anyway.


await prisma.verificationToken.deleteMany({
where: { id: verificationRequest.id, attempts: { gte: 2 } }
})

return null
}
Expand Down
3 changes: 1 addition & 2 deletions pages/auth/error.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,11 @@ export default function AuthError ({ error }) {
<StaticLayout>
<Image className='rounded-1 shadow-sm' width='500' height='375' src={`${process.env.NEXT_PUBLIC_ASSET_PREFIX}/double.gif`} fluid />
<h2 className='pt-4'>Incorrect magic code</h2>
<h4 className='text-muted text-center pt-2'>login again and get a new magic code</h4>
<Button
className='align-items-center my-3'
style={{ borderWidth: '2px' }}
id='login'
onClick={() => router.push('/login')}
onClick={() => router.back()}
size='lg'
>
try again
Expand Down