Add Magic Link

Author: ajibarra

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-version: ['8.1', '8.2', '8.3']
+        php-version: ['8.1', '8.2', '8.3', '8.4']
         db-type: [sqlite, mysql, pgsql]
         prefer-lowest: ['']
 
@@ -45,7 +45,7 @@ jobs:
       run: echo "::set-output name=date::$(date +'%Y-%m')"
 
     - name: Cache composer dependencies
-      uses: actions/cache@v1
+      uses: actions/cache@v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ runner.os }}-composer-${{ steps.key-date.outputs.date }}-${{ hashFiles('composer.json') }}-${{ matrix.prefer-lowest }}
@@ -59,22 +59,22 @@ jobs:
         fi
 
     - name: Setup problem matchers for PHPUnit
-      if: matrix.php-version == '8.1' && matrix.db-type == 'mysql'
+      if: matrix.php-version == '8.2' && matrix.db-type == 'mysql'
       run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json"
 
     - name: Run PHPUnit
       run: |
         if [[ ${{ matrix.db-type }} == 'sqlite' ]]; then export DB_URL='sqlite:///:memory:'; fi
         if [[ ${{ matrix.db-type }} == 'mysql' ]]; then export DB_URL='mysql://root:root@127.0.0.1/cakephp?encoding=utf8'; fi
         if [[ ${{ matrix.db-type }} == 'pgsql' ]]; then export DB_URL='postgres://postgres:postgres@127.0.0.1/postgres'; fi
-        if [[ ${{ matrix.php-version }} == '8.1' ]]; then
+        if [[ ${{ matrix.php-version }} == '8.2' ]]; then
           export CODECOVERAGE=1 && vendor/bin/phpunit --display-deprecations --display-incomplete --display-skipped --coverage-clover=coverage.xml
         else
           vendor/bin/phpunit
         fi
 
     - name: Submit code coverage
-      if: matrix.php-version == '8.1'
+      if: matrix.php-version == '8.2'
       uses: codecov/codecov-action@v1
 
   cs-stan:
@@ -87,7 +87,7 @@ jobs:
     - name: Setup PHP
       uses: shivammathur/setup-php@v2
       with:
-        php-version: '8.1'
+        php-version: '8.2'
         extensions: mbstring, intl, apcu
         coverage: none
 
@@ -100,7 +100,7 @@ jobs:
       run: echo "::set-output name=date::$(date +'%Y-%m')"
 
     - name: Cache composer dependencies
-      uses: actions/cache@v1
+      uses: actions/cache@v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ runner.os }}-composer-${{ steps.key-date.outputs.date }}-${{ hashFiles('composer.json') }}-${{ matrix.prefer-lowest }}

Docs/Documentation/MagicLink.md

@@ -0,0 +1,60 @@
+Magic Link
+===============================
+The plugin offers an easy way to add one-click login capabilities (through a link sent to user email)
+
+
+Installation Requirement
+------------------------
+There are no package requirements for using this feature. `Users.Email.required` setting must be set to true
+
+By default the feature is enabled. The default configuration is:
+
+```php
+'OneTimeLogin' => [
+    'enabled' => true,
+    'tokenLifeTime' => 600,
+    'DeliveryHandlers' => [
+        'Email' => [
+            'className' => \CakeDC\Users\Model\Behavior\OneTimeDelivery\EmailDelivery::class
+        ],
+    ],
+],
+```
+* `tokenLifeTime`: 60 minutes by default. You can set how many seconds you want your token to be valid.
+* `DelveryHandlers`: Email delivery is included but it can be easily extended implementing `\CakeDC\Users\Model\Behavior\OneTimeDelivery\DeliveryInterface` (i.e SmsDelivery, PushDelivery, etc)
+
+Enabling
+--------
+
+The feature is enabled by default but you can disable it application-wide and enable via Middleware (or any other way) for specific situations using:
+
+```php
+Configure::write('OneTimeLogin.enabled', true),
+```
+
+Disabling
+---------
+You can disable it by adding this in your config/users.php file:
+
+```php
+ 'OneTimeLogin.enabled' => false,
+```
+
+How does it work
+----------------
+When the user access the login page, there is a new button `Send me a login link`. On click, the user will be redirected to a page to enter his email address. Once it is submitted, the user will receive an email with the link to automatically login.
+
+Two-factor authentication
+----------------
+The two-factor authentication is skipped by default for this feature since the user must actively click on a link sent to his email address.
+
+If you want to enable it by adding this in your config/users.php file:
+
+```php
+'Auth.Authenticators.OneTimeToken.skipTwoFactorVerify' => false,
+```
+
+ReCaptcha
+----------------
+ReCaptcha will be added automatically to the request login link form if `Users.reCaptcha.login` is enabled. We strongly recommend having ReCaptcha enabled, because it's a public form that could be targeted by an attacker to send multiple requests.
+

Docs/Home.md

@@ -22,6 +22,7 @@ Documentation
 * [Social Authentication](Documentation/SocialAuthentication.md)
 * [Two Factor Authenticator](Documentation/Two-Factor-Authenticator.md)
 * [Webauthn Two-Factor Authentication (Yubico Key compatible)](Documentation/WebauthnTwoFactorAuthenticator.md)
+* [Magic Link](Documentation/MagicLink.md)
 * [UserHelper](Documentation/UserHelper.md)
 * [AuthLinkHelper](Documentation/AuthLinkHelper.md)
 * [Events](Documentation/Events.md)

composer.json

@@ -30,7 +30,7 @@
     "require": {
         "php": ">=8.1",
         "cakephp/cakephp": "^5.0",
-        "cakedc/auth": "^10.0",
+        "cakedc/auth": "^10.1",
         "cakephp/authorization": "^3.0",
         "cakephp/authentication": "^3.0"
     },
@@ -42,7 +42,8 @@
         "league/oauth2-linkedin": "@stable",
         "luchianenco/oauth2-amazon": "^1.1",
         "google/recaptcha": "@stable",
-        "robthree/twofactorauth": "^2.0",
+        "robthree/twofactorauth": "^3.0 || ^2.0",
+        "endroid/qr-code": "^6.0 || ^5.0",
         "league/oauth1-client": "^1.7",
         "cakephp/cakephp-codesniffer": "^5.0",
         "web-auth/webauthn-lib": "^4.4",

config/Migrations/20250124082232_AddLoginTokenToUsers.php

@@ -0,0 +1,31 @@
+<?php
+declare(strict_types=1);
+
+use Migrations\AbstractMigration;
+
+class AddLoginTokenToUsers extends AbstractMigration
+{
+    /**
+     * Change Method.
+     *
+     * More information on this method is available here:
+     * https://book.cakephp.org/phinx/0/en/migrations.html#the-change-method
+     * @return void
+     */
+    public function change(): void
+    {
+        $table = $this->table('users');
+        $table->addColumn('login_token', 'string', [
+            'default' => null,
+            'limit' => 32,
+            'null' => true,
+        ])->addColumn('login_token_date', 'datetime', [
+            'default' => null,
+            'null' => true,
+        ])->addColumn('token_send_requested', 'boolean', [
+            'default' => false,
+            'null' => false,
+        ])->addIndex('login_token');
+        $table->update();
+    }
+}

config/permissions.php

@@ -79,6 +79,9 @@
                 'webauthn2faRegisterOptions',
                 'webauthn2faAuthenticate',
                 'webauthn2faAuthenticateOptions',
+                'requestLoginLink',
+                'sendLoginLink',
+                'singleTokenLogin',
             ],
             'bypassAuth' => true,
         ],

config/users.php

@@ -160,7 +160,7 @@
         // The algorithm used
         'algorithm' => enum_exists(\RobThree\Auth\Algorithm::class) ? \RobThree\Auth\Algorithm::Sha1 : null,
         // QR-code provider (more on this later)
-        'qrcodeprovider' => null,
+        'qrcodeprovider' => new \RobThree\Auth\Providers\Qr\EndroidQrCodeProvider(),
         // Random Number Generator provider (more on this later)
         'rngprovider' => null,
     ],
@@ -174,6 +174,19 @@
         \CakeDC\Auth\Authentication\TwoFactorProcessor\Webauthn2faProcessor::class,
         \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
     ],
+    /**
+     * @see  https://github.com/CakeDC/users/blob/14.next-cake5/Docs/Documentation/MagicLink.md
+     */
+    'OneTimeLogin' => [
+        'enabled' => true,
+        'thresholdTimeout' => 60,
+        'tokenLifeTime' => 600,
+        'DeliveryHandlers' => [
+            'Email' => [
+                'className' => \CakeDC\Users\Model\Behavior\OneTimeDelivery\EmailDelivery::class
+            ]
+        ]
+    ],
     // default configuration used to auto-load the Auth Component, override to change the way Auth works
     'Auth' => [
         'Authentication' => [
@@ -219,6 +232,13 @@
                 'className' => 'CakeDC/Users.SocialPendingEmail',
                 'skipTwoFactorVerify' => true,
             ],
+            'OneTimeToken' => [
+                'className' => 'CakeDC/Auth.OneTimeToken',
+                'skipTwoFactorVerify' => true,
+                'loginUrl' => [
+                    '/login',
+                ],
+            ]
         ],
         'Identifiers' => [
             'Password' => [

phpstan-baseline.neon

@@ -10,11 +10,6 @@ parameters:
 			count: 2
 			path: src/Controller/Component/LoginComponent.php
 
-		-
-			message: "#^Access to an undefined property CakeDC\\\\Users\\\\Controller\\\\UsersController\\:\\:\\$Authentication\\.$#"
-			count: 2
-			path: src/Controller/UsersController.php
-
 		-
 			message: "#^Access to an undefined property CakeDC\\\\Users\\\\Controller\\\\UsersController\\:\\:\\$OneTimePasswordAuthenticator\\.$#"
 			count: 3
@@ -105,11 +100,6 @@ parameters:
 			count: 1
 			path: src/Model/Behavior/BaseTokenBehavior.php
 
-		-
-			message: "#^Access to an undefined property Cake\\\\Datasource\\\\EntityInterface\\:\\:\\$social_accounts\\.$#"
-			count: 2
-			path: src/Model/Behavior/LinkSocialBehavior.php
-
 		-
 			message: "#^Access to an undefined property Cake\\\\ORM\\\\Table\\:\\:\\$SocialAccounts\\.$#"
 			count: 5
@@ -120,21 +110,6 @@ parameters:
 			count: 1
 			path: src/Model/Behavior/LinkSocialBehavior.php
 
-		-
-			message: "#^Access to an undefined property Cake\\\\Datasource\\\\EntityInterface\\:\\:\\$password\\.$#"
-			count: 1
-			path: src/Model/Behavior/PasswordBehavior.php
-
-		-
-			message: "#^Access to an undefined property Cake\\\\Datasource\\\\EntityInterface\\:\\:\\$password_confirm\\.$#"
-			count: 1
-			path: src/Model/Behavior/PasswordBehavior.php
-
-		-
-			message: "#^Call to an undefined method Cake\\\\Datasource\\\\EntityInterface\\:\\:checkPassword\\(\\)\\.$#"
-			count: 1
-			path: src/Model/Behavior/PasswordBehavior.php
-
 		-
 			message: "#^Call to an undefined method Cake\\\\ORM\\\\Table\\:\\:findByUsernameOrEmail\\(\\)\\.$#"
 			count: 1
@@ -209,9 +184,3 @@ parameters:
 			message: "#^Method CakeDC\\\\Users\\\\Model\\\\Entity\\\\User\\:\\:_setTos\\(\\) should return bool but returns string\\.$#"
 			count: 1
 			path: src/Model/Entity/User.php
-
-		-
-			message: "#^Parameter \\#2 \\$usersTable of class CakeDC\\\\Users\\\\Webauthn\\\\Repository\\\\UserCredentialSourceRepository constructor expects CakeDC\\\\Users\\\\Model\\\\Table\\\\UsersTable\\|null, Cake\\\\ORM\\\\Table given\\.$#"
-			count: 1
-			path: src/Webauthn/BaseAdapter.php
-

src/Command/UsersDeleteUserCommand.php

@@ -46,7 +46,7 @@ public function execute(Arguments $args, ConsoleIo $io)
          */
         $UsersTable = $this->getTableLocator()->get('Users');
         /**
-         * @var \Cake\Datasource\EntityInterface $user
+         * @var \CakeDC\Users\Model\Entity\User $user
          */
         $user = $UsersTable->find()->where(['username' => $username])->firstOrFail();
         if (isset($UsersTable->SocialAccounts)) {

src/Controller/Traits/OneTimeTokenTrait.php

@@ -0,0 +1,91 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Copyright 2010 - 2019, Cake Development Corporation (https://www.cakedc.com)
+ *
+ * Licensed under The MIT License
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright Copyright 2010 - 2018, Cake Development Corporation (https://www.cakedc.com)
+ * @license MIT License (http://www.opensource.org/licenses/mit-license.php)
+ */
+
+namespace CakeDC\Users\Controller\Traits;
+
+use Cake\Datasource\Exception\RecordNotFoundException;
+use CakeDC\Users\Utility\UsersUrl;
+
+/**
+ * Covers the login, logout and social login
+ *
+ * @property \Cake\Http\ServerRequest $request
+ */
+trait OneTimeTokenTrait
+{
+    /**
+     * Request a single token login link.
+     *
+     * @return \Cake\Http\Response|null
+     */
+    public function requestLoginLink()
+    {
+        if ($this->getRequest()->is('post')) {
+            $email = $this->getRequest()->getData('email');
+            try {
+                /** @var \CakeDC\Users\Model\Table\UsersTable $Users */
+                $Users = $this->getUsersTable();
+                /** @uses \CakeDC\Users\Model\Behavior\OneTimeLoginLinkBehavior::sendLoginLink() */
+                $Users->sendLoginLink($email);
+            } catch (RecordNotFoundException $e) {
+                $this->log(
+                    sprintf('A user is trying to get a login link for the email %s but it does not exist.', $email)
+                );
+            }
+            $msg = __d(
+                'cake_d_c/users',
+                'If your user is registered in the system you will receive an email ' .
+                'with a link so you can access your user area.'
+            );
+            $this->Flash->success($msg);
+            $this->setRequest($this->getRequest()->withoutData('email'));
+
+            return $this->redirect(UsersUrl::actionUrl('login'));
+        }
+
+        return null;
+    }
+
+    /**
+     * Single token login.
+     *
+     * @return \Cake\Http\Response|null
+     */
+    public function singleTokenLogin()
+    {
+        $errorMessage = null;
+        $token = null;
+        if ($this->getRequest()->is('get')) {
+            $token = $this->getRequest()->getQuery('token');
+        }
+
+        if ($this->getRequest()->is('post') || $token) {
+            $user = $this->Authentication->getIdentity();
+            $token = $this->getRequest()->getData('token', $token);
+            if (is_array($token)) {
+                $token = join($token);
+            }
+            if (!$user && !empty($token)) {
+                $errorMessage = __d('cake_d_c/users', 'Invalid or expired token. Please request a new one.');
+            }
+        }
+
+        if ($errorMessage) {
+            $this->Flash->error($errorMessage);
+
+            return $this->redirect(UsersUrl::actionUrl('login'));
+        }
+
+        return $this->redirect('/');
+    }
+}