Add Magic Link

Author: ajibarra

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-version: ['8.1', '8.2', '8.3']
+        php-version: ['8.1', '8.2', '8.3', '8.4']
         db-type: [sqlite, mysql, pgsql]
         prefer-lowest: ['']
 
@@ -45,7 +45,7 @@ jobs:
       run: echo "::set-output name=date::$(date +'%Y-%m')"
 
     - name: Cache composer dependencies
-      uses: actions/cache@v1
+      uses: actions/cache@v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ runner.os }}-composer-${{ steps.key-date.outputs.date }}-${{ hashFiles('composer.json') }}-${{ matrix.prefer-lowest }}
@@ -59,22 +59,22 @@ jobs:
         fi
 
     - name: Setup problem matchers for PHPUnit
-      if: matrix.php-version == '8.1' && matrix.db-type == 'mysql'
+      if: matrix.php-version == '8.2' && matrix.db-type == 'mysql'
       run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json"
 
     - name: Run PHPUnit
       run: |
         if [[ ${{ matrix.db-type }} == 'sqlite' ]]; then export DB_URL='sqlite:///:memory:'; fi
         if [[ ${{ matrix.db-type }} == 'mysql' ]]; then export DB_URL='mysql://root:root@127.0.0.1/cakephp?encoding=utf8'; fi
         if [[ ${{ matrix.db-type }} == 'pgsql' ]]; then export DB_URL='postgres://postgres:postgres@127.0.0.1/postgres'; fi
-        if [[ ${{ matrix.php-version }} == '8.1' ]]; then
+        if [[ ${{ matrix.php-version }} == '8.2' ]]; then
           export CODECOVERAGE=1 && vendor/bin/phpunit --display-deprecations --display-incomplete --display-skipped --coverage-clover=coverage.xml
         else
           vendor/bin/phpunit
         fi
 
     - name: Submit code coverage
-      if: matrix.php-version == '8.1'
+      if: matrix.php-version == '8.2'
       uses: codecov/codecov-action@v1
 
   cs-stan:
@@ -87,7 +87,7 @@ jobs:
     - name: Setup PHP
       uses: shivammathur/setup-php@v2
       with:
-        php-version: '8.1'
+        php-version: '8.2'
         extensions: mbstring, intl, apcu
         coverage: none
 
@@ -100,7 +100,7 @@ jobs:
       run: echo "::set-output name=date::$(date +'%Y-%m')"
 
     - name: Cache composer dependencies
-      uses: actions/cache@v1
+      uses: actions/cache@v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ runner.os }}-composer-${{ steps.key-date.outputs.date }}-${{ hashFiles('composer.json') }}-${{ matrix.prefer-lowest }}

Docs/Documentation/Installation.md

@@ -32,7 +32,7 @@ page for more details.
 If you want to use Google Authenticator features...
 
 ```
-composer require robthree/twofactorauth:"^1.6"
+composer require robthree/twofactorauth:"@stable"
 ```
 
 NOTE: you'll need to enable `OneTimePasswordAuthenticator.login` in your config/users.php file:

Docs/Documentation/MagicLink.md

@@ -0,0 +1,60 @@
+Magic Link
+===============================
+The plugin offers an easy way to add one-click login capabilities (through a link sent to user email)
+
+
+Installation Requirement
+------------------------
+There are no package requirements for using this feature. `Users.Email.required` setting must be set to true
+
+By default the feature is enabled. The default configuration is:
+
+```php
+'OneTimeLogin' => [
+    'enabled' => true,
+    'tokenLifeTime' => 600,
+    'DeliveryHandlers' => [
+        'Email' => [
+            'className' => \CakeDC\Users\Model\Behavior\OneTimeDelivery\EmailDelivery::class
+        ],
+    ],
+],
+```
+* `tokenLifeTime`: 60 minutes by default. You can set how many seconds you want your token to be valid.
+* `DelveryHandlers`: Email delivery is included but it can be easily extended implementing `\CakeDC\Users\Model\Behavior\OneTimeDelivery\DeliveryInterface` (i.e SmsDelivery, PushDelivery, etc)
+
+Enabling
+--------
+
+The feature is enabled by default but you can disable it application-wide and enable via Middleware (or any other way) for specific situations using:
+
+```php
+Configure::write('OneTimeLogin.enabled', true),
+```
+
+Disabling
+---------
+You can disable it by adding this in your config/users.php file:
+
+```php
+ 'OneTimeLogin.enabled' => false,
+```
+
+How does it work
+----------------
+When the user access the login page, there is a new button `Send me a login link`. On click, the user will be redirected to a page to enter his email address. Once it is submitted, the user will receive an email with the link to automatically login.
+
+Two-factor authentication
+----------------
+The two-factor authentication is skipped by default for this feature since the user must actively click on a link sent to his email address.
+
+If you want to enable it by adding this in your config/users.php file:
+
+```php
+'Auth.Authenticators.OneTimeToken.skipTwoFactorVerify' => false,
+```
+
+ReCaptcha
+----------------
+ReCaptcha will be added automatically to the request login link form if `Users.reCaptcha.login` is enabled. We strongly recommend having ReCaptcha enabled, because it's a public form that could be targeted by an attacker to send multiple requests.
+

Docs/Home.md

@@ -22,6 +22,7 @@ Documentation
 * [Social Authentication](Documentation/SocialAuthentication.md)
 * [Two Factor Authenticator](Documentation/Two-Factor-Authenticator.md)
 * [Webauthn Two-Factor Authentication (Yubico Key compatible)](Documentation/WebauthnTwoFactorAuthenticator.md)
+* [Magic Link](Documentation/MagicLink.md)
 * [UserHelper](Documentation/UserHelper.md)
 * [AuthLinkHelper](Documentation/AuthLinkHelper.md)
 * [Events](Documentation/Events.md)

composer.json

@@ -30,7 +30,7 @@
     "require": {
         "php": ">=8.1",
         "cakephp/cakephp": "^5.0",
-        "cakedc/auth": "^10.0",
+        "cakedc/auth": "^10.1",
         "cakephp/authorization": "^3.0",
         "cakephp/authentication": "^3.0"
     },
@@ -42,7 +42,8 @@
         "league/oauth2-linkedin": "@stable",
         "luchianenco/oauth2-amazon": "^1.1",
         "google/recaptcha": "@stable",
-        "robthree/twofactorauth": "^2.0",
+        "robthree/twofactorauth": "^3.0 || ^2.0",
+        "endroid/qr-code": "^6.0 || ^5.0",
         "league/oauth1-client": "^1.7",
         "cakephp/cakephp-codesniffer": "^5.0",
         "web-auth/webauthn-lib": "^4.4",

config/Migrations/20250124082232_AddLoginTokenToUsers.php

@@ -0,0 +1,31 @@
+<?php
+declare(strict_types=1);
+
+use Migrations\AbstractMigration;
+
+class AddLoginTokenToUsers extends AbstractMigration
+{
+    /**
+     * Change Method.
+     *
+     * More information on this method is available here:
+     * https://book.cakephp.org/phinx/0/en/migrations.html#the-change-method
+     * @return void
+     */
+    public function change(): void
+    {
+        $table = $this->table('users');
+        $table->addColumn('login_token', 'string', [
+            'default' => null,
+            'limit' => 32,
+            'null' => true,
+        ])->addColumn('login_token_date', 'datetime', [
+            'default' => null,
+            'null' => true,
+        ])->addColumn('token_send_requested', 'boolean', [
+            'default' => false,
+            'null' => false,
+        ])->addIndex('login_token');
+        $table->update();
+    }
+}

config/permissions.php

@@ -79,6 +79,9 @@
                 'webauthn2faRegisterOptions',
                 'webauthn2faAuthenticate',
                 'webauthn2faAuthenticateOptions',
+                'requestLoginLink',
+                'sendLoginLink',
+                'singleTokenLogin',
             ],
             'bypassAuth' => true,
         ],

config/users.php

@@ -160,7 +160,7 @@
         // The algorithm used
         'algorithm' => enum_exists(\RobThree\Auth\Algorithm::class) ? \RobThree\Auth\Algorithm::Sha1 : null,
         // QR-code provider (more on this later)
-        'qrcodeprovider' => null,
+        'qrcodeprovider' => class_exists('\RobThree\Auth\Providers\Qr\EndroidQrCodeProvider') ? (new \RobThree\Auth\Providers\Qr\EndroidQrCodeProvider()) : null,
         // Random Number Generator provider (more on this later)
         'rngprovider' => null,
     ],
@@ -174,6 +174,19 @@
         \CakeDC\Auth\Authentication\TwoFactorProcessor\Webauthn2faProcessor::class,
         \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
     ],
+    /**
+     * @see  https://github.com/CakeDC/users/blob/14.next-cake5/Docs/Documentation/MagicLink.md
+     */
+    'OneTimeLogin' => [
+        'enabled' => true,
+        'thresholdTimeout' => 60,
+        'tokenLifeTime' => 600,
+        'DeliveryHandlers' => [
+            'Email' => [
+                'className' => \CakeDC\Users\Model\Behavior\OneTimeDelivery\EmailDelivery::class
+            ]
+        ]
+    ],
     // default configuration used to auto-load the Auth Component, override to change the way Auth works
     'Auth' => [
         'Authentication' => [
@@ -219,6 +232,13 @@
                 'className' => 'CakeDC/Users.SocialPendingEmail',
                 'skipTwoFactorVerify' => true,
             ],
+            'OneTimeToken' => [
+                'className' => 'CakeDC/Auth.OneTimeToken',
+                'skipTwoFactorVerify' => true,
+                'loginUrl' => [
+                    '/login',
+                ],
+            ]
         ],
         'Identifiers' => [
             'Password' => [

phpstan-baseline.neon

@@ -10,11 +10,6 @@ parameters:
 			count: 2
 			path: src/Controller/Component/LoginComponent.php
 
-		-
-			message: "#^Access to an undefined property CakeDC\\\\Users\\\\Controller\\\\UsersController\\:\\:\\$Authentication\\.$#"
-			count: 2
-			path: src/Controller/UsersController.php
-
 		-
 			message: "#^Access to an undefined property CakeDC\\\\Users\\\\Controller\\\\UsersController\\:\\:\\$OneTimePasswordAuthenticator\\.$#"
 			count: 3
@@ -105,11 +100,6 @@ parameters:
 			count: 1
 			path: src/Model/Behavior/BaseTokenBehavior.php
 
-		-
-			message: "#^Access to an undefined property Cake\\\\Datasource\\\\EntityInterface\\:\\:\\$social_accounts\\.$#"
-			count: 2
-			path: src/Model/Behavior/LinkSocialBehavior.php
-
 		-
 			message: "#^Access to an undefined property Cake\\\\ORM\\\\Table\\:\\:\\$SocialAccounts\\.$#"
 			count: 5
@@ -120,21 +110,6 @@ parameters:
 			count: 1
 			path: src/Model/Behavior/LinkSocialBehavior.php
 
-		-
-			message: "#^Access to an undefined property Cake\\\\Datasource\\\\EntityInterface\\:\\:\\$password\\.$#"
-			count: 1
-			path: src/Model/Behavior/PasswordBehavior.php
-
-		-
-			message: "#^Access to an undefined property Cake\\\\Datasource\\\\EntityInterface\\:\\:\\$password_confirm\\.$#"
-			count: 1
-			path: src/Model/Behavior/PasswordBehavior.php
-
-		-
-			message: "#^Call to an undefined method Cake\\\\Datasource\\\\EntityInterface\\:\\:checkPassword\\(\\)\\.$#"
-			count: 1
-			path: src/Model/Behavior/PasswordBehavior.php
-
 		-
 			message: "#^Call to an undefined method Cake\\\\ORM\\\\Table\\:\\:findByUsernameOrEmail\\(\\)\\.$#"
 			count: 1
@@ -209,9 +184,3 @@ parameters:
 			message: "#^Method CakeDC\\\\Users\\\\Model\\\\Entity\\\\User\\:\\:_setTos\\(\\) should return bool but returns string\\.$#"
 			count: 1
 			path: src/Model/Entity/User.php
-
-		-
-			message: "#^Parameter \\#2 \\$usersTable of class CakeDC\\\\Users\\\\Webauthn\\\\Repository\\\\UserCredentialSourceRepository constructor expects CakeDC\\\\Users\\\\Model\\\\Table\\\\UsersTable\\|null, Cake\\\\ORM\\\\Table given\\.$#"
-			count: 1
-			path: src/Webauthn/BaseAdapter.php
-

src/Command/UsersDeleteUserCommand.php

@@ -46,7 +46,7 @@ public function execute(Arguments $args, ConsoleIo $io)
          */
         $UsersTable = $this->getTableLocator()->get('Users');
         /**
-         * @var \Cake\Datasource\EntityInterface $user
+         * @var \CakeDC\Users\Model\Entity\User $user
          */
         $user = $UsersTable->find()->where(['username' => $username])->firstOrFail();
         if (isset($UsersTable->SocialAccounts)) {