Email-based sign in (aka "magic link" sign in)

We're going to add a feature that will allow apps to work without the user needing to create or enter a password.

How it will work on the client

First install

1. Participant installs the app
2. After consent process, app generates password to sign up user
3. User consent is submitted, app has session
4. When session expires, the app uses the generated password to re-authenticate

Reinstalls

1. Participant installs the app on new device or deletes/reinstalls 
2. Participant opens app, says “hey I already have an account, here’s the email address” 
3. App tells server “send me a magic link to this email address" 
4. App tells participant “check your email for a magic link” 
5. Participant has to go to email on phone and tap magic link, which takes them to the app to sign them in 
6. The app generates a new random password and includes it in the magic link sign-in call

How it will work on the server

Two new endpoints will be introduced:

{ "email": "<email.address>", "study": "<studyId>" }

This endpoint will reject calls to send another email while the prior email request has not timed out (currently 60 seconds). If this is abused, we may need to do further rate limiting. It will also need to verify the email is active in the study before sending an email.

{ "email": "<email.address>", "study": "<studyId>", "password": "<password>", "token" : "<token>" }

{ "statusCode": 404, "entityClass": "Account", "message": "Account not found.", "type": "EntityNotFoundException" }

If the token has been issued, retrieve the user's identity and return a session. Optionally, if a password value has also been submitted, reset the password before returning the session.

Study

Study will have a new email template, the emailSignInTemplate, which will allow researchers to create a message and the message can include a link. If the app needs, for example, to have a link with a subdomain, like https://myApp.sagebridge.org/mobile/verify.html?token=<sometoken>, they will be able to add that. There should be a default using webservices.sagebridge.org.

Verify the template has a ${token} string in it somewhere to substitute the token.

We will also be able to enable/disable this functionality with the emailSignInEnabled flag.

AuthenticationService

Deep Linking with a Magic Link

Purpose

We want an easy web-to-native app transition that will allow users to complete the online portion of an app and then go to the application having all of their information remembered. 

First Install- Web to Native App

1. User fills out survey on the web
2. User signs up using their phone number
3. SMS is sent which takes user to app store/googe play store so they can download the app
4. After the app installed the information from the online portion is remembered (ex. consent has been filled out)

First Install- Native App to Native App

All of the steps above would be the same, except if the user had downloaded the app on their phone rather than starting at the website their magic link would take them directly

to inside the application.

Definitions

Deep Linking- points to content inside of an application, works if the app is installed

Deferred Linking- This takes users to a 'deferred' part of the application after install, non-specific to the user

Contextual Linking- Keeping information all the way through install, this is a seamless experience, best choice

Universal Linking- specific to iOS (only ios >9.0, ~85% of iphone users), makes it so that no hacky javascript is used to redirect the website to a URI link (my://) , requires SSL certificate

App Links- similar to apple version of universal linking. except android still accepts custom uri schemes in their mobile web browser, requires SSL certificate.

Intent-Filter-Link- Specific to android, no SSL certificate required, the dillemma here is that a disambiguation page is brought up and the user can choose to bring up another app instead. (ie. chrome could be a suggestion to open our website)

Web Requirements 

1.      SSL certificate- This is so that your app and website can be tied together, no other application can be suggested once this step is in place
2.     ./well-known/ directory needs to be hosted on your website and two special files that are recognized by android and ios devices

ex: https://mPower.com/.well-known/<file-name depends on ios/android>

Note: "These two files will be downloaded automatically by every single user that installs or upgrades the app, its recommended that this file get hosted on a CDN

-Because this file is only fetched once when the user first installs or upgrades the app, this file must be live on your website before your app is released. This also means that you can’t add new deep linking url patterns to your app until you push out a new app update to force users to refresh the file."

     3.       You can match links using regex/direct paths/ or path prefixes for a response to get triggered. You can use only use URLs for ios, whereas android still allows for URI. 

URL:

https/mPower.com/...

URI:

mPower:// outdated for ios, apple made universal links for this reason

App Requirements

In both applications the implementation is fairly straightforward, Android Studio has a built in feature that allows you create and test domains on your app. iOS has docs that are also straightforward. Note: neither of these can be tested until the certiciate is in place. 

Other Considerations

There are several cases when deep links won't work, links inside the Gmail, Inbox and Facebook apps for instance.

Linking Services

The main selling point of these services is that they allow for keeping information known through install (contextual linking). It has yet to be determined how difficult/or not difficult this is to do without their services. 

branch io

google firebase