Metadata-Version: 2.1
Name: django-magic-link
Version: 0.1.dev1
Summary: Django app for managing tokenised 'magic link' logins.
Home-page: https://github.com/yunojuno/django-magic-link
License: MIT
Author: YunoJuno
Author-email: code@yunojuno.com
Maintainer: YunoJuno
Maintainer-email: code@yunojuno.com
Requires-Python: >=3.7,<4.0
Classifier: Environment :: Web Environment
Classifier: Framework :: Django
Classifier: Framework :: Django :: 2.2
Classifier: Framework :: Django :: 3.0
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Requires-Dist: django (>=2.2,<4.0)
Project-URL: Documentation, https://github.com/yunojuno/django-magic-link
Project-URL: Repository, https://github.com/yunojuno/django-magic-link
Description-Content-Type: text/markdown

# Django Magic Link

Opinionated Django app for managing "magic link" logins.

This app is not intended for general purpose URL tokenisation; rather it is designed to support a
single use case - so-called "magic link" logins.

There are lots of alternative apps that can support this use case, including the project from which
this has been extracted - `django-request-tokens`. The reason for yet another one is to handle the
real-world challenge of URL caching / pre-fetch, where intermediaries use URLs with unintended
consequences.

This packages supports a very specific model:

1. User is sent a URL to log them in.
2. User clicks on the link, and which does a GET request to the URL.
3. User is presented with a confirmation page, but is _not_ logged in.
4. User clicks on a button and performs a POST to the same page.
5. The POST request authenticates the user, and deactivates the token.

The advantage of this is the email clients do not support POST links, and any prefetch that attempts
a POST will fail the CSRF checks.

The purpose is to ensure that someone actively, purposefully, clicked on a link to authenticate
themselves. This enables instant deactivation of the token, so that it can no longer be used.

In practice, without this check, many tokenised authentication links are "used up" before the
intended recipient has clicked on the link.

