How to Implement Email Login with Time-Sensitive Tokens in Django-Allauth

[MohamedElgamal]

Hello everyone,

I’m looking to implement a secure email-based login process using Django-Allauth with the following workflow:

1. User enters their email address in a form.
2. A time-sensitive token is generated and sent via email as part of a login link.
3. When the user clicks the link, the token is validated (exists, not expired, not tampered with).
4. Based on the validation, the user is logged in or shown an error.

Is there a recommended way to achieve this using Django-Allauth? Any advice or references would be greatly appreciated!

[pennersr]

See https://docs.allauth.org/en/latest/account/configuration.html -- specifically, ACCOUNT_LOGIN_BY_CODE_ENABLED and ACCOUNT_LOGIN_BY_CODE_REQUIRED. It will take care of sending a code that needs to be input before the user can continue.

The user does need to copy/paste it -- there is no link. This is by design, done both for increased UX and security. The UX issue is that users often receive the code on a mobile device, and clicking a link there opens a different browser, disturbing the flow. The other is security -- with the current approach, another user intercepting the email cannot login as you need to have both the code and the open browser window where the code needs to be inputted.

[MohamedElgamal]

ok, but what about if want to replace the code with link that contain jwt token instead of the code ? is it possible or not