django-allauth 0.62.0 released: "Magic Code Login"

Version 0.62.0 of django-allauth has been released, most notably featuring support for logging in using a special code, also known as “Magic Code Login”.

https://allauth.org/news/2024/04/django-allauth-0.62.0-released/

4 Likes

This is great! Are there any docs for the “magic code login”?

There really is not much to it, it is disabled by default, but you can set:

ACCOUNT_LOGIN_BY_CODE_ENABLED = True

Then, a “Mail me a sign-in code” button should automatically appear.

(see: Configuration - django-allauth)

2 Likes

Thanks - just had a chance to try it out and it’s working well.

Not sure if this is the right place to post this, but have you considered adding functionality so that it logs you in just by clicking the link (as opposed to having to paste in the code)? Or alternatively, better supporting a two-stage username + code-or-password workflow?

Thanks again for all the great work on the library.

Logging in by link comes with additional security caveats. Even Slack which was once using “Magic links” to login abandoned those. Issues:

  • Anybody who (somehow) intercepts the link can login. If you intercept the code, you still have nothing, as you need to enter it in a browser window with a specific session.
  • You train your users to click on links in mails, which makes them vulnerable to phishing attempts.

So logging in by code instead of link is actually more secure.

1 Like

Hmm, I suppose this makes sense, but also it seems like you could make the link only work for the session that created it. I imagine I could glue something like this together with allauth and javascript if I really wanted, and it sounds like native support in the library isn’t on your radar.