Mattias, It may be worth checking out django-allauth. It doesn't use the flow you are proposing -- as register-by-email users do need to enter a password -- but it has an nicely integrated one-click login via Facebook/Google/etc. alternative option for users. I haven't tried, as I like the default flows, but I guess you would be able to modify the code to do what you want pretty easily. (If you do try it, here's<http://stackoverflow.com/questions/11065610/using-django-allauth/11075511#11075511>a tip on installation.)
--Ien On Sunday, June 17, 2012 8:25:15 PM UTC-4, Mattias Linnap wrote: > > Hi all, > > I'm trying to build a nice authentication flow for a website. > > In my opinion, a good flow would be: > 0. There are no usernames, emails are used instead, > 1. User signs up by just entering their email address, > 2. An account is created for them, and a temporary plaintext password, > along with a sign-in link is sent by email (only its hash, not the > plaintext password is stored in the database), > 3. If they log in for the first time, they are prompted to, but not > forced to change their password (this is not emailed), > 4. If they forget their password, a new temporary password along with > a sign-in link are sent to them by email. > 5. There should be as few intermediate "success confirmation" pages as > possible, instead redirecting to an useful page, and showing a > temporary message on there. > > I would argue that this is as secure as ordinary password reset emails. > Emailing users their passwords is insecure if they *themselves* chose > the password - because they often re-use it on multiple sites. > As long as it is a randomly generated one, it is no different from > emailing them password reset links. > Do you agree? > > What would you recommend as the approach to building this with least > effort, while keeping the rest of django and django.contrib packages > working as expected? > I've experimented briefly with django-registration, and it seems that > the best approach might be writing a new backend for it. > Do you have any other suggestions or packages that I should look at first? > > Thanks, > > Mattias > -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/292FJQwQYzoJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
