Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: magic links #1668

Merged
merged 22 commits into from
Jun 20, 2022
Merged

feat: magic links #1668

merged 22 commits into from
Jun 20, 2022

Conversation

miguelpeixe
Copy link
Member

@miguelpeixe miguelpeixe commented May 27, 2022
edited
Loading

All Submissions:

Changes proposed in this Pull Request:

This PR implements magic link functionality that should only be available to a "reader", as implemented by #1655.

Magic links are single-use authentication links that are sent to the user's registered email.

This implementation limits the number of simultaneous valid tokens to 5, which should be a safe amount in case the reader attempts to authenticate multiple devices at once. The limit is also a safety measure, because magic link creation, naturally, does not require authentication.

Also as a safety measure, magic links expire 30 minutes after creation.

This feature should only be available with reader activation enabled.

Self-Served vs. Admin-Generated

Magic links can be generated and sent by an anonymous user, these are self-served. Self-served links have a salted client hash attached to them. They are formed by the following arguments:

  • Random secret
  • IP
  • User-agent

The random secret is stored locally through a cookie for client hash validation. If the client hash does not match, the magic link fails to authenticate.

Admin-generated links do not have a client hash and can be used by anyone.

Email

image

The sent email is minimalistic, filterable, and highly inspired by WP's wp_new_user_notification(). It serves the purpose of the functionality but for the "reader activation" project, all reader-related messaging should be tackled separately in a unified cohesive effort.

Management

There are a few tools available for the management of a user's magic link support. An admin can:

  • Manually send a new magic link to the user
  • Clear all existing tokens for a user
  • Disable/enable magic link support for a user

Dashboard

image

image

CLI

A magic link can also be sent with WP-CLI:

NAME

  wp newspack magic-link send

DESCRIPTION

  Send a magic link to a reader.

SYNOPSIS

  wp newspack magic-link send <email_or_id>

OPTIONS

  <email_or_id>
    The email address or user ID of the reader.

EXAMPLES

    wp newspack magic-link send 12
    wp newspack magic-link send [email protected]

How to test the changes in this Pull Request:

Make sure you have AMP Plus on, reader revenue configured with WooCommerce and a valid Stripe test account, and the experimental reader activation flag on your wp-config.php:

define( 'NEWSPACK_EXPERIMENTAL_READER_ACTIVATION', true );

Also confirm you have a way to intercept sent emails, either through Mailhog or a configured SMTP.

Admin-generated

The quickest simple test to a magic link is by sending as an admin:

  1. While logged in as admin, visit the users' dashboard and mouse over a subscriber or customer (create one if you don't have any)
  2. Confirm you see the "Send magic link" option
  3. Click to send
  4. Confirm the email was sent
  5. Copy the link and paste it into an unauthenticated session (incognito)
  6. Confirm you are authenticated by visiting WC's my-account page

Admin management

Clearing tokens

  1. Click to edit the subscriber and scroll to "Magic Link Management"
  2. Send another magic link through this page and confirm the email was sent
  3. Before using the link on a new session, click on "Clear All Tokens"
  4. Attempt to use the sent link and confirm you receive the generic error message

Disabling magic links for a user

  1. Send another magic link as above
  2. Before using the link, click on "Disable Magic Links"
  3. Confirm the "Magic Link Management" section of the page now only have a button to enable support
  4. Navigate back to the users' dashboard and confirm that hovering the user does not show the "Send Magic Link" link
  5. Attempt to use the previously sent link and confirm you receive the generic error message

CLI

  1. Make sure you have Magic Links enabled for the user
  2. Open your instance CLI and type wp newspack magic-link send –help and confirm you see appropriate instructions
  3. Send a magic link using the user email: wp newspack magic-link send {email}
  4. Now the same using the user ID: wp newspack magic-link send {user_id}
  5. Confirm both emails are sent

Self-served tokens

  1. While unauthenticated, visit a page with the donation block
  2. Send a test donation using an existing reader's email
  3. Check your cookies and confirm you have a hashed value named np_auth_link
  4. Confirm the email was sent, copy and paste it on the session above and confirm you're authenticated by accessing WC's my-account page

Client hash validation

  1. Repeat the steps above, but now paste the link on a new unauthenticated session (without the np_auth_link cookie)
  2. Confirm you get the generic error message

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully ran tests with your changes locally?

@miguelpeixe miguelpeixe added the [Status] Needs Review The issue or pull request needs to be reviewed label May 27, 2022
@miguelpeixe miguelpeixe requested a review from a team as a code owner May 27, 2022 15:51
@miguelpeixe miguelpeixe self-assigned this May 27, 2022
@adekbadek adekbadek self-requested a review June 2, 2022 12:47
adekbadek
adekbadek requested changes Jun 9, 2022
View reviewed changes
Copy link
Member

@adekbadek adekbadek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love how this code utilises common WP practices (like filtering stuff), has proper documentation, and tests ❤️

includes/class-magic-link.php Outdated Show resolved Hide resolved
includes/class-magic-link.php Outdated Show resolved Hide resolved
includes/class-magic-link.php Outdated Show resolved Hide resolved
tests/unit-tests/magic-link.php Outdated Show resolved Hide resolved
tests/unit-tests/magic-link.php Show resolved Hide resolved
includes/class-magic-link.php Outdated Show resolved Hide resolved
includes/class-magic-link.php Show resolved Hide resolved
includes/class-magic-link.php Outdated Show resolved Hide resolved
includes/class-magic-link.php Outdated Show resolved Hide resolved
includes/class-magic-link.php Outdated Show resolved Hide resolved
@miguelpeixe miguelpeixe requested a review from adekbadek June 9, 2022 20:52
@miguelpeixe
Copy link
Member Author

0cf90d0 implements another small change to the token. It was using a salted hash from wp_hash(), which is not necessary, being a random and unpredictable value. This also gives us the opportunity for extra entropy so I changed its length to 60.

@github-actions github-actions bot added [Status] Approved The pull request has been reviewed and is ready to merge and removed [Status] Needs Review The issue or pull request needs to be reviewed labels Jun 16, 2022
@miguelpeixe miguelpeixe merged commit 02d9f82 into master Jun 20, 2022
@miguelpeixe miguelpeixe deleted the feat/magic-link branch June 20, 2022 10:56
@miguelpeixe miguelpeixe mentioned this pull request Jun 23, 2022
Closed
6 tasks
@adekbadek adekbadek mentioned this pull request Jun 29, 2022
Closed
matticbot pushed a commit that referenced this pull request Jul 1, 2022
@semantic-release-bot
chore(release): 1.86.0-alpha.1 [skip ci]
f1822d4 
# [1.86.0-alpha.1](v1.85.0...v1.86.0-alpha.1) (2022-07-01)

### Bug Fixes

* **reader-revenue:** disable WC email if module will send email ([#1709](#1709)) ([48e1613](48e1613)), closes [#1699](#1699)

### Features

* ads onboarding ([#1678](#1678)) ([80c0bf4](80c0bf4))
* disable deactivate and delete for required plugins ([#1712](#1712)) ([75afee8](75afee8))
* **experimental:** magic links ([#1668](#1668)) ([02d9f82](02d9f82))
* **reader-revenue:** prevent creating duplicate stripe webhooks ([#1710](#1710)) ([586e693](586e693))
@matticbot
Copy link
Contributor

🎉 This PR is included in version 1.86.0-alpha.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

matticbot pushed a commit that referenced this pull request Jul 11, 2022
@semantic-release-bot
chore(release): 1.86.0 [skip ci]
c8b993f 
# [1.86.0](v1.85.2...v1.86.0) (2022-07-11)

### Bug Fixes

* **reader-revenue:** disable WC email if module will send email ([#1709](#1709)) ([48e1613](48e1613)), closes [#1699](#1699)

### Features

* ads onboarding ([#1678](#1678)) ([80c0bf4](80c0bf4))
* disable deactivate and delete for required plugins ([#1712](#1712)) ([75afee8](75afee8))
* **experimental:** magic links ([#1668](#1668)) ([02d9f82](02d9f82))
* **reader-revenue:** prevent creating duplicate stripe webhooks ([#1710](#1710)) ([586e693](586e693))
@matticbot
Copy link
Contributor

🎉 This PR is included in version 1.86.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@miguelpeixe miguelpeixe mentioned this pull request Aug 5, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adekbadek adekbadek adekbadek approved these changes

Assignees

@miguelpeixe miguelpeixe

Labels
released on @alpha released [Status] Approved The pull request has been reviewed and is ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@miguelpeixe @matticbot @adekbadek