Implement support for device verification
|Reported by:||Nicklas Nordborg||Owned by:||everyone|
This is inspired by similar functionality in for example, Facebook and Google were a verification code is sent by email (or SMS) to a user the first time that user is trying to login from a new device. Since we already have email support in BASE it should not be too difficult to implement the other part.
Since we need some GUI for entering the verification code it must be possible to enabled/disable this feature per client application. For example, the FTP server extension can't use this due to lack of support in the FTP protocol.
Since we don't require users to register their email address, it should be possible to enable/disable per user account (disabled by default). The email address must be validated before it is possible to enabled this feature.
When this feature is enabled and a user is trying to login from a new device, the login procedure should verify the username/password as normal. Once that has been done, a verification code (6 digits?) will be sent by email to the user. The login procedure will then throw a special exception to indicate that a verification code is needed. The client is responsible for displaying a GUI for entering this code. On the server side, the verification code is kept in memory and is not stored in the database.
The client application then submits the verification code back to the server which checks it. If the code is incorrect, the login procedure should be restarted from the beginning. If the code is correct, the servers sends back a token to the client. The client should store this token on the computer (for example in localStorage). The token is also stored in the database together with some other useful information (eg. User-agent, etc.).
The next time the user is trying to login the client should also send the stored token together with the username and password. The server can then check this token against what has been stored in the database and allow the user to login without a new verification code.
Some other useful stuff:
- The 'Session' object should have a link to the 'device'.
- A user should be able to list devices it has used and be able to remove a device from the list of known devices.
- It might be a good idea to add a checkbox 'Remember this device' on the page were the verification code is entered. It would make it easier to, for example, temporarily login from a public computer without storing it as a trusted device.
Note! A 'device' in this context is a specific browser on a specific computer. Using a different browser on the same computer is considered to be a different device.
Note! If a single computer/browser is used by multiple users each user need to verify the device. However, since it may be difficult for the browser to store more than one token the server must accept that the same token is used for multiple users.