Sign-in with phone number / sms code

8 posts, 1 answers
  1. David
    David avatar
    30 posts
    Member since:
    Sep 2010

    Posted 19 Feb 2015 Link to this post

    I've been considering authentication methods that do not require the user to select a username and password. I would however, like to utilize Backend Services User Authentication.

    This is really a theoretical question. Here's an example process (my first pass), that I'm not even sure is feasible.
    1) To create an account, user enters mobile phone number (and maybe email address as backup)
    2) No password is requested.
    3) User submits new account request
    4) Cloud Code sends an SMS message to the user containing a "passcode". This passcode is basically a system generated password (maybe a random 5-digit number).
    5) User enters passcode and in turn, is authenticated (receives token).

    Other notes:
    1) It would probably make sense if the passcode would expire (change) at some point. In other words, the password in Backend Services is changed programmatically after lets say 24 hours.
    2) If the user needs to sign-in again later (token expires, etc.) they would need to request a new sms passcode. Basically, the same process as above, but a different passcode would be sent.

    Basically, this would use the built-in Backend Services User Management / Authentication, it would just not require the user to select and remember a password. The password would be sent on-demand via sms (hopefully not very often) based on the users' mobile phone number.

    Any thoughts, guidance, concerns? Has anyone do something similar with sms authentication?

    Thanks,
    David
  2. Answer
    Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 23 Feb 2015 Link to this post

    Hi Dave,

    Such scenario could be accomplished using the Cloud Code and Cloud Functions of Backend Services.

    Please, find below some guidelines which might be helpful.

    1.      
    The user contacts a Cloud Function and provides email/phone number.

    2.      
    The Cloud Code Function generates the password, creates the user account and sends the SMS/Email.

    3.      
    The user can now login using the standard endpoint in the server/method in the SDK.

    4.      
    If the user requests a new password, you will need to handle this case as well. For example, reset the password of the user prior to sending the email/sms with the new code.

    Additional notes which might turn useful:

     - Set the type-level permissions for Users to Role-based. De-select all roles so that users can be created only using master key authentication. Thus users will not be able to register with the standard endpoint.

     - Use the Everlive.Sdk.withMasterKey() instance in the cloud code when working with types that require master key authentication.

    However, you might also consider the following if you need to add more robust logic using custom login implementation:

    - Set a private content type that holds the password expiration time for each user by Id.

    - Create a custom endpoint that handles the login. If the password validity has expired.

    - Send the user a password in hashed format so that the user cannot use the plain-text password to login via the standard {BaseUrl}/{ApiKey}/oauth/token endpoint. Only the custom endpoint can extract the password and log the user in via the /oauth/token endpoint.

    I'd like to hear your thoughts on the above and if it is helpful. Let me know if you have further questions and inquiries, I will be help.

    Also, it will be helpful if you could share more details about the scenario you would like to achieve and the need of such authentication mechanism.


    Best regards,
    Anton Dobrev
    Telerik
     
    Everlive is now Telerik Backend Services, and is part of the Telerik Platform.
     
  3. David
    David avatar
    30 posts
    Member since:
    Sep 2010

    Posted 03 Mar 2015 in reply to Anton Dobrev Link to this post

    Sorry for the delayed response - and thanks for the great information - as always, it's very helpful. I haven't been able to dig into this any further just yet, but I am planning to work on the sign-in concept more. I'll be sure to let you know what I come up with.

    Thanks,
    David
  4. Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 04 Mar 2015 Link to this post

    Hi David,

    Glad to hear that this information was helpful. Let me know if further questions arise.

    Regards,
    Anton Dobrev
    Telerik
     
    Everlive is now Telerik Backend Services, and is part of the Telerik Platform.
     
  5. David
    David avatar
    30 posts
    Member since:
    Sep 2010

    Posted 13 Mar 2015 in reply to Anton Dobrev Link to this post

    Anton,

    Is it possible to change a users password using "Cloud Code" and "Everlive.Sdk.withMasterKey() "? I would like to reset a users password (only knowing their username) to a 6-digit number (to resend via sms), but haven't been able to figure out if that's possible.

    Thanks,
    David
  6. Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 16 Mar 2015 Link to this post

    Hello David,

    You can do this by using the method from the JS SDK as explained here. However, you need to have the current password of the user (usually, this functionality is designed to allow the user to change user's password).

    However, you can enforce the password change with a master key authentication. To do this you need to call the REST API endpoint of Backend Services with a HTTP call. Here is a sample cloud function that illustrates the workflow:
    Everlive.CloudFunction.onRequest(function(request, response, done) {
        var parameters = Everlive.Parameters;
        var apiKey = parameters.apiKey;
        var masterKey = parameters.masterKey;
        var baseUrl = parameters.apiBaseUrlSecure;
        var apiVersionNumber = parameters.apiVersion;
     
        var url = baseUrl + "/v" + apiVersionNumber + "/" + apiKey + '/Users/changepassword';
     
        var options = {};
        var username = "my-username";
        var newPassword = "my-new-password";
     
        options.body = {
            "Username": username,
            "NewPassword": newPassword
        };
        options.headers = {
            "Authorization": "MasterKey" + " " + masterKey
        };
        options.contentType = "application/json";
     
     
        Everlive.Http.request('POST', url, options, function(err, data) {
            if (err) {
                response.body = err;
                done();
     
            } else {
                response.body = "Success";
                done();
     
            }
        });
    });


    A note to bear in mind is that an email will be sent to the email of the user from the registration that the password is changed. This cannot be switched off.

    Let me know if you have questions.

    Regards,
    Anton Dobrev
    Telerik
     
    Everlive is now Telerik Backend Services, and is part of the Telerik Platform.
     
  7. David
    David avatar
    30 posts
    Member since:
    Sep 2010

    Posted 16 Mar 2015 in reply to Anton Dobrev Link to this post

    Beautiful, that works perfectly. Thanks!

    One thing, you mentioned that a "password has changed" email will be sent and that it can't be turned off. It appears that maybe it can be. In Backend Services / Users / Email Settings - there's a "Send confirmation email for a change of password" checkbox. When that is unchecked, an automated email doesn't seem to be sent on password change - which in my use case would be perfect.

    Many thanks,
    David
  8. Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 17 Mar 2015 Link to this post

    Hi David,

    Glad to hear this code is doing the job on your side.

    Indeed, you are right about the template. I overlooked the fact that only the "ResetPasswordEmail" could not be turned off and would like to apologize for that. Thanks for pointing this out.

    Let me know if further questions arise.

    Regards,
    Anton Dobrev
    Telerik
     
    Everlive is now Telerik Backend Services, and is part of the Telerik Platform.
     
Back to Top