Page Comparison

We're going to add a feature that will allow apps to work without the user needing to create or enter a password.

...

Two new endpoints will be introduced:

{ "email": "<email.address>", "study": "<studyId>" }

This endpoint will need to rate-limit the frequency of submissions for the same email address (the same Redis entry with a TTL can serve both as a rate limit, and an expiration for the validity of the token, probably one minute)reject calls to send another email while the prior email request has not timed out (currently 60 seconds). If this is abused, we may need to do further rate limiting. It will also need to verify the email is active in the study before sending an email.

{ "email": "<email.address>", "study": "<studyId>", "password": "<password>", "token" : "<token>" }

{ "statusCode": 404, "entityClass": "Account", "message": "Account not found.", "type": "EntityNotFoundException" }

If the token has been issued, retrieve the user's identity and return a session. Optionally, if a password value has also been submitted, reset the password before returning the session.

...

Study will have a new email template, the sessionVerificationTemplateemailSignInTemplate, which will allow researchers to create a message and the message can include a link. If the app needs, for example, to have a link with a subdomain, like https://myApp.sagebridge.org/mobile/verify.html?token=<sometoken>, they will be able to add that. There should be a default using web serviceswebservices.sagebridge.org.

Verify the template has a ${token} string in it somewhere to substitute the token.

I can't think of a reason why we would We will also be able to enable/disable this functionality ... either an app supports it or it doesn'twith the emailSignInEnabled flag.

AuthenticationService

...