Many websites have a password-less authentification system, i.e. you can signup / login / logout only with an email, and no password is ever required.
How would one implement such a system? (framework and language-agnostic)
Note: I've already read:
Password-less authentication in web apps - How safe it is? and a few other security.SE posts
and searched for SO posts about how to actually implement a [password-less] login system, but without much success ; I haven't found a canonical question on SO about implementation of a password-less auth
Manually logging in a user without password is linked but not the same thing: there the idea is login immediately after a successful account creation, but not necessarily a 100% password-less authentification system.
As I searched for a long time for this, here is a summary that I post with SO's "Answer your own question - Q&A-style" feature. I'll update it as often as I can to improve it.
Sign-up:
{email: 'test@test.com', data: 'data'}
Log-in:
{email: 'test@test.com'}
Open link:
document.cookie = "sessid=f65a5bc45; expires=Fri, 31 Dec 9999 23:59:59 GMT"
(or do this server side, e.g. with PHP)?sessid
query string removed, navigate to /
Open /
:
{sessid: getCookieValue('sessid')}
xhr.onreadystatechange
: fills page with user dataSign-up:
{email: 'test@test.com', data: 'data'}
Log-in:
{email: 'test@test.com'}
{email: 'test@test.com', code: '123456'}
document.cookie = "sessid=f65a5bc45; expires=Fri, 31 Dec 9999 23:59:59 GMT"
(or do this server side with PHP)/
Open /
:
{sessid: getCookieValue('sessid')}
xhr.onreadystatechange
: fills page with user data