MealPro

Showcase
41

Thanks Ken, this is awesome! But I didn't expect anything less from you :wink: (as you've always been very helpful).

This describes the process for security providers that are not using the Use Password Hash Verify option but rather are hashing manually.

I just checked and we have it ticked
CleanShot 2024-05-23 at 17.40.48

Why would this not work with this enabled? (Not 100% sure what it does)

42

Sorry, I haven't had to deal with that since that option came in well after I set this up, but because the hashing is done internally, I suspect it will make the process of what to hand off to the security provider different. There are probably some hashing actions that can be used.

1 Like
43

I don't think it will make too much difference to the process that @mebeingken gave. You will just need to store the token using Argon hash rather than hashing with a salt

1 Like
44

I do it like this:

  1. Create a token
(UUID+TIMESTAMP).md5(TIMESTAMP).substr(0, 42).encodeBase64Url()
  1. Hash the token with Argon2id
  2. Store the hash in Redis:
    Key: 'magic-login-'+queryUser.id Value: hashed token

CleanShot 2024-05-24 at 09.34.32
CleanShot 2024-05-24 at 09.34.321078×509 55.1 KB

  1. Send a link with the token and user_id in the query via email
  2. Check if the key exists in Redis:

CleanShot 2024-05-24 at 09.33.42
CleanShot 2024-05-24 at 09.33.421071×371 27.5 KB

  1. Verify the token with the hash:

CleanShot 2024-05-24 at 09.34.10
CleanShot 2024-05-24 at 09.34.101072×321 27.9 KB

  1. Log the user in:
    I have a separate db field in the user table with an auth secret that is used for logins instead of the password. The password is only used to verify password logins.

CleanShot 2024-05-24 at 09.36.28
CleanShot 2024-05-24 at 09.36.281069×816 95.1 KB

2 Likes