Closed Bug 937889 Opened 11 years ago Closed 11 years ago

[research] Login users via a URL in email

Categories

(support.mozilla.org :: General, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED FIXED
2013Q4

People

(Reporter: rrosario, Unassigned)

References

Details

(Whiteboard: u=user c=auth p=3 s=2013.23)

For bug 928899, we want users to be able to quickly reply to their question thread without having to log in if they aren't already. For this, we'll need to implement some sort of mechanism that logs a user in via a URL.

Some things that need to be considered:
* Should any user be able to be logged in via this method? Should we not allow users with elevated permissions to do this?
* Does the login only work for the one question they asked or are they now authed like a normal authed user on the site?
* Does the URL only work once?
Summary: [research] Logging in users via a URL in email → [research] Login users via a URL in email
I was thinking about this a lot last week when I was throwing together Harold.

I was thinking for SUMO we'd create a new kind of account which I'm going to call LimitedUser. It would have the following properties:

1. A LimitedUser is not a regular SUMO user account (i.e. not a django.contrib.auth.models.User). It's a separate thing with a separate table.

2. If you have a LimitedUser account, you would have the option of converting it into a SUMO user account. Once you did that, then you'd log in with your SUMO user account. Your LimitedUser account would no longer exist.

3. The way to log in with a LimitedUser account is with an auth key in the url. That's it.

4. A LimitedUser account consists of an auth_key, an email address, a question id and a "last used" datetime.

5. LimitedUser accounts should expire after n days of non-usage.

6. We'd fix the AAQ flow so that if the user is not logged in, we say, "If you have an account, log in now. If you don't have an account, give us your email address so we can respond back to you." In the latter case, we create a LimitedUser account.

7. We should tie a LimitedUser to a specific question. He/she can only add answers to that question and that's it. If the user has multiple questions, internally we have multiple LimitedUser accounts, but they wouldn't notice.

8. Any emails we send to a LimitedUser should include the auth key in the urls in the email.


I think this breaks down in a few places:

1. If the user deletes his/her email, then he/she has no way to get back to their LimitedUser account or the question. I think that's ok. I don't think we should throw a ton of code at fixing this. Instead I think we should make this crystal clear in the initial email we send the user. Though now that I say this, maybe it's ok to just store the auth key in cookies. That might make it harder to do "one LimitedUser account per question". We might have to switch to allowing a LimitedUser to ask multiple questions. But I think that gets messy.

2. I think this is going to cause some difficulties implementing since LimitedUser != django.contrib.auth.models.User and I bet there are a bunch of places in the code where we expect a django.contrib.auth.models.User. One way we might want to deal with this is create a django.contrib.auth.models.User account called "Limited User" and tweak User so that if it's a LimitedUser, it reduces its permissions to that one question.

3. If the user forwards his/her email to someone, that person now has access to his/her LimitedUser account. I think we shouldn't throw code at this and instead we should make it crystal clear that this happens in the initial email.


That's what I was thinking with Harold.
Kadir, do you have any thoughts/feedback on the idea in Comment 1?

That probably is a might be a bigger change than logging in users via a URL in an email. BUT, we wouldn't have to worry about some of the security issues around logging in any user (possibly with elevated permissions) via a URL.

It's the last day of the sprint and there hasn't been enough work on this yet. This will be falling to the next sprint.
Flags: needinfo?(a.topal)
I talked with Kadir about this a little today. The minimal viable implementation (is that a thing?) would be a URL where the creator can go reply to the question thread. We don't need to actually log them in. Maybe there is a way we can trick the view to treat the user as logged in only when rendering that one question and POSTing a reply to it.
Flags: needinfo?(a.topal)
We are done here (for now) per Bug 928899 Comment 3.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.