django-allauth 0.62.0 released: "Magic Code Login"

Version 0.62.0 of django-allauth has been released, most notably featuring support for logging in using a special code, also known as “Magic Code Login”.

https://allauth.org/news/2024/04/django-allauth-0.62.0-released/

5 Likes

This is great! Are there any docs for the “magic code login”?

1 Like

There really is not much to it, it is disabled by default, but you can set:

ACCOUNT_LOGIN_BY_CODE_ENABLED = True

Then, a “Mail me a sign-in code” button should automatically appear.

(see: Configuration - django-allauth)

3 Likes

Thanks - just had a chance to try it out and it’s working well.

Not sure if this is the right place to post this, but have you considered adding functionality so that it logs you in just by clicking the link (as opposed to having to paste in the code)? Or alternatively, better supporting a two-stage username + code-or-password workflow?

Thanks again for all the great work on the library.

Logging in by link comes with additional security caveats. Even Slack which was once using “Magic links” to login abandoned those. Issues:

  • Anybody who (somehow) intercepts the link can login. If you intercept the code, you still have nothing, as you need to enter it in a browser window with a specific session.
  • You train your users to click on links in mails, which makes them vulnerable to phishing attempts.

So logging in by code instead of link is actually more secure.

2 Likes

Hmm, I suppose this makes sense, but also it seems like you could make the link only work for the session that created it. I imagine I could glue something like this together with allauth and javascript if I really wanted, and it sounds like native support in the library isn’t on your radar.

I thought the same but in the end decided that a code is much much better. Why? User behavior.

The user might have their email client on the phone, or they might be using multiple laptops (work, home…), where they need to login to their email every time and it becomes a hassle. If they can receive it on their phone and just write it manually is a plus.

If they are using the same laptop, you can just create a link so the code auto-fills. I.e.: mydomain.com/login?code=abc123 without needing to create a custom magic link