Dear Alex and Pere
Thank you both for your code and and the time you took to help!
I'm am working through the code you sent, studying out how it
works. Great learning experience.
Also, Alex, your point of not using password log ins is a
philosophical re-frame in my thinking! Thank you!
Tim
On 2024/03/27 2:36, Alex Tweedly via use-livecode wrote:
Hi Tim,
I guess my first response would be - don't.
Specifically, don't store or use passwords. Users have a bad
habit of re-using the same passwords, so even if your site has no
personal or valuable info about your users, the fact that
passwords get re-used means you are storing valuable info, and so
you're taking on a moral responsibility to keep it very safe.
If you do have passwords, then you need to have a recovery
mechanism for when users forget their pssword. 99% of the time,
that involves emailing them a recovery link, or temp password, or
... So in effect the password has the same (or less) security
than their email account - so you might as well just use the
email account.
Nowadays I always use this style of password-free accounts. I
would have sent a copy of the known, tested, etc. code - but it's
all embedded in lots of my libraries, etc. and was tricky to
unravel. So I've sent a very bare-bones version; tested but not
all corner cases (e.g. I didn't wait a week to ensure time-outs
happened properly :-).
Overview: The user asks for a code to login with, that gets
emailed to them, and then they type that code in to the next
screen. Once that's successfully done, you set up a cookie in
their browser, valid for some reasonable length of time such as 7
days, and you're done. Any script that wants to can take the
getCurrentUser() code to check that they are logged in properly.
Internally, it's done by creating a temporary code (6 digits,
which is recorded along with their email and expires within 15
minutes), and once they have verified that code, you give them a
new code which is a UUID (so essentially un-guessable) which
lasts for the 7 days.
Other than that, I hope it's reasonably straightforward .....
Alex.
simplelogin.lc
------------
<?lc
set the errormode to inline
function getCurrentUser
local tCookie, tCodes, tExpires
put $_COOKIE["myusercookie"] into tCookie
if tCookie is empty then
return empty
end if
-- codes are stored as code,email,expirydate (in seconds)
put URL ("file:codes.txt") into tCodes
filter tCodes with (tCookie & comma & "*")
put item 3 of line -1 of tCodes into tExpires
if seconds() > tExpires then
return empty
else
return item 2 of line -1 of tCodes
end if
end getCurrentUser
function shellEscape pText
-- keep this at the end because it messes up Coda colouring
repeat for each char tChar in "\`!$" & quote
replace tChar with "\" & tChar in pText
end repeat
return pText
end shellEscape
function wrapQ pText
return quote & pText & quote
end wrapQ
on askforemail
put "<p><form method='post' action='simplelogin.lc'>"
put " <label for='email'>My email is </label>"
put " <input type='email' name='email' value=''>"
put " <button type='submit' value='havecode'>Submit my
email </button>"
put "</form>"
end askforemail
on askforcode
put "<p><form method='post' action='simplelogin.lc'>"
put " <label for='code'>My code is </label>"
put " <input name='code' value=''>"
put " <button type='submit' value='havecode'>Submit my code
</button>"
put "</form>"
end askforcode
on askforlogout
put "<form method='post' action='simplelogin.lc'>"
put " <input type='hidden' name='logout' value='true'>"
put " <button type='submit' value='logout'>Log me out
now</button>"
put "</form>"
end askforlogout
-- real code start here
put getCurrentUser() into tUser
if $_POST["logout"] AND tUser is not empty then
put $_COOKIE["myusercookie"] into tCode
put tCode & comma & tUser & comma & (the seconds-1) &CR after \
URL ("file:codes.txt")
put "Successfully logged out."
exit to top
end if
if tUser is not empty then -- ask them if they want to log out
put "Already logged in as " & tUser
askforlogout
exit to top
end if
put $_POST["code"] into tCode
if tCode is not empty then
-- we need to compare this code with what is pending
put URL ("file:codes.txt") into tPending
put ( tCode & comma & "*") into tFilter
filter tPending with tFilter
put line -1 of tPending into tPending
if the seconds <= item 3 of tPending then -- found a match
pending
put item 2 of tPending into tEmail
put uuid("random") into tCode
put tCode & comma & tEmail & comma & (the
seconds+60*60*24*7) &CR after \
URL ("file:codes.txt")
put cookie "myusercookie" with tCode until (the seconds +
60 * 60 * 24 * 7)
put "Successfully logged in"
exit to top
end if
-- no match for the code
put "Code not matched. Please try again or give different
email address.<p>"
askforcode
else
put $_POST["email"] into tEmail
end if
if tEmail is not empty then
-- have email address - generate a code and ask user for it
put random(999999) into tSix
put format("%06d", tSix) into tSix
-- put this following line in for quick and easy testing !!
-- be sure to take it out later !!!
put "should email" && tSix && "to you.<p>"
-- build the message header, adding the from, to and subject
details
-- we also put any cc addresses in here, but not bcc (bcc
addresses hidden)
put "i...@kilmelford.com" into pFrom -- CHANGE KILMELFORD.COM
put tEmail into pTo
put "From:" && pFrom & return & \
"To:" && tEmail & return & \
"Subject: Login code for kilmelford.com" & \
return into tMsg
put "Content-Type: text/plain;" & return & return after tMsg
put "Your code is" && tSix && "and it will expire in 15
minutes" after tMsg
-- send the mail by piping the message we have just built to
the sendmail command
get shell("echo" && wrapQ(shellEscape(tMsg)) && "|
/usr/sbin/sendmail" && \
wrapQ(shellEscape(pTo)) && "-f" &&
wrapQ(shellEscape(pFrom)))
put the seconds into tEndTime
add 15 * 60 to tEndTime
put tSix & comma & tEmail & comma & tEndTime &CR after \
URL ("file:codes.txt")
askforcode
exit to top
end if
askforemail
-- end of simplelogin.lc
--------------------
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
