Passwordless Authentication

api/desecapi/authentication.py

@@ -158,6 +158,8 @@ class EmailPasswordPayloadAuthentication(BaseAuthentication):
     def authenticate(self, request):
         serializer = EmailPasswordSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
+        if "password" not in serializer.data:
+            return None
         return self.authenticate_credentials(
             serializer.data["email"], serializer.data["password"], request
         )

api/desecapi/models/authenticated_actions.py

@@ -8,6 +8,7 @@
 
 from .domains import Domain
 from .mfa import TOTPFactor
+from .tokens import Token
 
 
 class AuthenticatedAction(models.Model):
@@ -112,6 +113,15 @@ def _state_fields(self):
         return super()._state_fields + [str(self.user.id)]
 
 
+class AuthenticatedCreateLoginTokenAction(AuthenticatedBasicUserAction):
+    """
+    Action to create a login token.
+    """
+
+    def _act(self):
+        return Token.create_login_token(self.user)
+
+
 class AuthenticatedEmailUserAction(AuthenticatedBasicUserAction):
     """
     Abstract AuthenticatedAction involving a user instance with unmodified email address.

api/desecapi/models/tokens.py

@@ -17,6 +17,8 @@
 from django_prometheus.models import ExportModelOperationsMixin
 from netfields import CidrAddressField, NetManager
 
+from .users import User
+
 
 class Token(ExportModelOperationsMixin("Token"), rest_framework.authtoken.models.Token):
     @staticmethod
@@ -100,6 +102,17 @@ def delete(self):
         self.tokendomainpolicy_set.filter(domain__isnull=True).delete()
         return super().delete()
 
+    @classmethod
+    def create_login_token(cls, user: User):
+        token = cls.objects.create(
+            user=user,
+            perm_manage_tokens=True,
+            max_age=timedelta(days=7),
+            max_unused_period=timedelta(hours=1),
+            mfa=False,
+        )
+        return token
+
 
 @pgtrigger.register(
     # Ensure that token_user is consistent with token

api/desecapi/models/users.py

@@ -135,6 +135,7 @@ def send_email(
             "delete-account": fast_lane,
             "domain-dyndns": fast_lane,
             "renew-domain": immediate_lane,
+            "create-login-token": immediate_lane,
         }
         if reason not in lanes:
             raise ValueError(

api/desecapi/serializers/__init__.py

@@ -4,6 +4,7 @@
     AuthenticatedChangeEmailUserActionSerializer,
     AuthenticatedChangeOutreachPreferenceUserActionSerializer,
     AuthenticatedConfirmAccountUserActionSerializer,
+    AuthenticatedCreateLoginTokenActionSerializer,
     AuthenticatedCreateTOTPFactorUserActionSerializer,
     AuthenticatedDeleteUserActionSerializer,
     AuthenticatedRenewDomainBasicUserActionSerializer,

api/desecapi/serializers/authenticated_actions.py

@@ -265,6 +265,17 @@ class Meta(AuthenticatedBasicUserActionSerializer.Meta):
         model = models.AuthenticatedDeleteUserAction
 
 
+class AuthenticatedCreateLoginTokenActionSerializer(
+    AuthenticatedBasicUserActionSerializer
+):
+    reason = "create-login-token"
+    validity_period = timedelta(minutes=10)
+
+    class Meta(AuthenticatedBasicUserActionSerializer.Meta):
+        model = models.AuthenticatedCreateLoginTokenAction
+        fields = AuthenticatedBasicUserActionSerializer.Meta.fields
+
+
 class AuthenticatedDomainBasicUserActionSerializer(
     AuthenticatedBasicUserActionSerializer
 ):

api/desecapi/serializers/users.py

@@ -12,7 +12,7 @@ class EmailSerializer(serializers.Serializer):
 
 
 class EmailPasswordSerializer(EmailSerializer):
-    password = serializers.CharField()
+    password = serializers.CharField(required=False)
 
 
 class ChangeEmailSerializer(serializers.Serializer):

api/desecapi/templates/emails/create-login-token/content.txt

@@ -0,0 +1,12 @@
+{% extends "emails/content.txt" %}
+{% block content %}{% load action_extras %}Hi,
+
+someone request a login link for your account. To log in, please use the following link (valid for {% action_link_expiration_hours action_serializer %} hours):
+
+{% action_link action_serializer %}
+
+If you did not request this, please contact [email protected].
+
+Stay secure,
+The deSEC Team
+{% endblock %}

api/desecapi/templates/emails/create-login-token/subject.txt

@@ -0,0 +1 @@
+[deSEC] Login information

api/desecapi/tests/test_user_management.py

@@ -51,14 +51,11 @@ def register(self, email, password, captcha=None, **kwargs):
             reverse("v1:register"), {"email": email, "password": password, **kwargs}
         )
 
-    def login_user(self, email, password):
-        return self.post(
-            reverse("v1:login"),
-            {
-                "email": email,
-                "password": password,
-            },
-        )
+    def login_user(self, email, password=None):
+        payload = {"email": email}
+        if password is not None:
+            payload["password"] = password
+        return self.post(reverse("v1:login"), payload)
 
     def logout(self, token):
         return self.post(reverse("v1:logout"), HTTP_AUTHORIZATION=f"Token {token}")
@@ -127,7 +124,7 @@ def register_user(self, email=None, password=None, late_captcha=False, **kwargs)
             self.client.register(email, password, captcha, **kwargs),
         )
 
-    def login_user(self, email, password):
+    def login_user(self, email, password=None):
         return self.client.login_user(email, password)
 
     def logout(self, token):
@@ -550,6 +547,52 @@ def _test_delete_account(self, email, password):
         self.assertUserDoesNotExist(email)
 
 
+class PasswordlessUserTestCase(UserManagementTestCase):
+
+    def assertLoginSuccessResponse(self, response):
+        return self.assertContains(
+            response=response, text="instructions", status_code=status.HTTP_202_ACCEPTED
+        )
+
+    def assertCreateLoginTokenVerificationEmail(self, reset=True):
+        return self.assertEmailSent(
+            subject_contains="Login information",
+            body_contains="login link for your account",
+            recipient=[self.email],
+            reset=reset,
+            pattern=r"following link[^:]*:\s+([^\s]*)",
+        )
+
+    def assertCreateLoginTokenVerificationSuccessResponse(self, response):
+        return self.assertContains(
+            response=response,
+            text=f"token",
+            status_code=status.HTTP_200_OK,
+        )
+
+    def setUp(self):
+        self.email, _, _ = self.register_user(self.random_username())
+        confirmation_link = self.assertRegistrationEmail(self.email)
+        self.assertConfirmationLinkRedirect(confirmation_link)
+        response = self.client.verify(confirmation_link)
+        self.assertRegistrationVerificationSuccessResponse(response)
+        self.assertTrue(User.objects.get(email=self.email).is_active)
+        self.assertEmailSent(reset=True)
+
+    def test_login_successful(self):
+        response = self.login_user(self.email, None)
+        self.assertLoginSuccessResponse(response)
+        link = self.assertCreateLoginTokenVerificationEmail()
+        self.assertCreateLoginTokenVerificationSuccessResponse(
+            self.client.verify(link)
+        )
+
+    def test_login_unsuccessful(self):
+        response = self.login_user("[email protected]", None)
+        self.assertLoginSuccessResponse(response)  # no disclosure that this account does not exist!
+        self.assertNoEmailSent()
+
+
 class UserLifeCycleTestCase(UserManagementTestCase):
     def test_life_cycle(self):
         self.email, self.password = self._test_registration(

api/desecapi/urls/version_1.py

@@ -122,6 +122,11 @@
         views.AuthenticatedRenewDomainBasicUserActionView.as_view(),
         name="confirm-renew-domain",
     ),
+    path(
+        "v/create-login-token/<code>/",
+        views.AuthenticatedCreateLoginTokenActionView.as_view(),
+        name="confirm-create-login-token",
+    ),
     # CAPTCHA
     path("captcha/", views.CaptchaView.as_view(), name="captcha"),
 ]

api/desecapi/views/__init__.py

@@ -4,6 +4,7 @@
     AuthenticatedChangeEmailUserActionView,
     AuthenticatedChangeOutreachPreferenceUserActionView,
     AuthenticatedConfirmAccountUserActionView,
+    AuthenticatedCreateLoginTokenActionView,
     AuthenticatedCreateTOTPFactorUserActionView,
     AuthenticatedDeleteUserActionView,
     AuthenticatedRenewDomainBasicUserActionView,

api/desecapi/views/authenticated_actions.py

@@ -216,6 +216,17 @@ def post(self, request, *args, **kwargs):
         return Response(serializer.data)
 
 
+class AuthenticatedCreateLoginTokenActionView(AuthenticatedActionView):
+    html_url = "/confirm/create-login-token/{code}/"
+    serializer_class = serializers.AuthenticatedCreateLoginTokenActionSerializer
+
+    def post(self, request, *args, **kwargs):
+        super().post(request, *args, **kwargs)
+        token = self.authenticated_action.act()
+        serializer = serializers.TokenSerializer(token, include_plain=True)
+        return Response(serializer.data)
+
+
 class AuthenticatedResetPasswordUserActionView(AuthenticatedActionView):
     html_url = "/confirm/reset-password/{code}/"
     serializer_class = serializers.AuthenticatedResetPasswordUserActionSerializer

api/desecapi/views/users.py

@@ -1,5 +1,3 @@
-from datetime import timedelta
-
 from django.conf import settings
 from django.contrib.auth import user_logged_in
 from rest_framework import generics, mixins, status
@@ -93,23 +91,32 @@ def post(self, request, *args, **kwargs):
 
 class AccountLoginView(generics.GenericAPIView):
     authentication_classes = (authentication.EmailPasswordPayloadAuthentication,)
-    permission_classes = (IsAuthenticated,)
     serializer_class = serializers.TokenSerializer
     throttle_scope = "account_management_passive"
 
     def post(self, request, *args, **kwargs):
-        user = self.request.user
-        token = Token.objects.create(
-            user=user,
-            perm_manage_tokens=True,
-            max_age=timedelta(days=7),
-            max_unused_period=timedelta(hours=1),
-            mfa=False,
-        )
-        user_logged_in.send(sender=user.__class__, request=self.request, user=user)
-
-        data = self.get_serializer(token, include_plain=True).data
-        return Response(data)
+        if request.user and request.user.is_authenticated:
+            # password was provided
+            user = self.request.user
+            data = self.get_serializer(
+                Token.create_login_token(user), include_plain=True
+            ).data
+            user_logged_in.send(sender=user.__class__, request=request, user=user)
+            return Response(data)
+        else:
+            # password was not provided
+            message = "Login instructions have been sent to the email address associated with your user account."
+            response = Response(data={"detail": message}, status=status.HTTP_202_ACCEPTED)
+
+            # TODO how to determine user ID properly? Use a serializer?
+            try:
+                user = User.objects.get(email=request.data.get('email'))
+            except User.DoesNotExist:
+                pass
+            else:
+                serializers.AuthenticatedCreateLoginTokenActionSerializer.build_and_save(user=user)
+
+            return response
 
 
 class AccountLogoutView(APIView, mixins.DestroyModelMixin):

www/webapp/src/components/CreateLoginTokenActionHandler.vue

@@ -0,0 +1,24 @@
+<script>
+  import GenericActionHandler from "./GenericActionHandler"
+  import {HTTP} from "../utils";
+
+  export default {
+    name: 'CreateLoginTokenActionHandler',
+    extends: GenericActionHandler,
+    data: () => ({
+      auto_submit: true,
+    }),
+    watch: {
+      success(value) {
+        if(value) {
+          HTTP.defaults.headers.common.Authorization = `Token ${value.token}`;
+          this.$store.commit('login', value);
+          if (this.useSessionStorage) {
+            sessionStorage.setItem('token', JSON.stringify(value));
+          }
+          this.$router.replace({ name: 'domains' });
+        }
+      }
+    }
+  };
+</script>

www/webapp/src/views/Login.vue

@@ -39,13 +39,11 @@
               />
               <v-text-field
                 v-model="password"
-                label="Password"
+                label="Password (leave empty to login via email)"
                 :append-icon="hide_password ? 'mdi-eye' : 'mdi-eye-off'"
                 :type="hide_password ? 'password' : 'text'"
                 outline
-                required
                 :disabled="working"
-                :rules="password_rules"
                 tabindex="2"
                 @click:append="() => (hide_password = !hide_password)"
               />
@@ -104,9 +102,6 @@ export default {
     useSessionStorage: false,
     email_rules: [v => !!v || 'Please enter the email address associated with your account'],
     email_errors: [],
-    password_rules: [
-      v => !!v || 'Enter your password to log in',
-    ],
     hide_password: true,
     errors: [],
   }),
@@ -115,10 +110,13 @@ export default {
       this.working = true;
       this.errors.splice(0, this.errors.length);
       try {
-        const response = await HTTP.post('auth/login/', {
-          email: this.email,
-          password: this.password,
-        });
+        let payload = {
+          email: this.email
+        };
+        if (this.password) {
+          payload['password'] = this.password;
+        }
+        const response = await HTTP.post('auth/login/', payload);
         HTTP.defaults.headers.common.Authorization = `Token ${response.data.token}`;
         this.$store.commit('login', response.data);
         if (this.useSessionStorage) {