Optionally let Ext2F module handle code generation
Summary
Currently, Ext2F requires two commands. One to generate and send the token for a user, and another to check the token submitted by the user on the form.
My proposal is to have an option that lets Ext2F handle the code generation and verification itself, and only rely on an external command to send it to the user.
An obvious use for this modification would be to relieve the user of the burden of implementing their own token storage, while still being able to interact will all sorts of external delivery methods (proprietary/SaaS SMS gateways come to mind)
Design proposition
Much like #1629 (closed), with this hypothetical new option turned on, the plugin would
In run
:
- Generate a random code (with String::Random for now)
- Store it in the token-based temporary session
- Call the configured command, which could be something like
send_token.pl --phoneNum $mobile --code $code
($code
would already be available in this phase, unlike ext2F's regular behaviour) - Display the
ext2fcheck
template to the user
In verify
:
- With the hypothetical option on, instead of calling an extenal command to verify the code, we could compare the code POST-ed by the user to the one internally stored in the session.
Thoughts
This would make it easier for a user to plug into an existing delivery method (mail, sms, pagers, some mobile app, smoke signals) without having to implement token generation and storage themselves.
However, it would mean that ext2F would have 2 pretty different ways of working, depending whether it handles token generation or leaves it to the external system. I'm not sure if this behaviour should be a part of ext2F or its own, separate module.