Authentication for Mobile users
tylor - May 5, 2008 - 23:59
| Project: | SMS Framework |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | diggersf |
| Status: | closed |
Description
As part of our SMS project here at Raincity Studios, it would also be great to get into some form of basic mobile phone authentication for users. Ideally it could work something like this (similar to Brightkite and Jaiku):
- User adds new mobile phone number
- Before it is added as active, a message is sent to the number with a short passcode: "Your mobile confirmation number is HK1WC, please visit example.com
- User enters passcode at Drupal website
- Phone is active to send/receive messages
It could also follow the Twitter model, where the user is given a number and a short passcode, and upon receipt by the Drupal site the user is authenticated.
Anyone else looking for similar functionality? Has anyone explored this within the SMSFramework?
#1
Changing to feature request. I think another interesting feature is generalized functions to allow for SMS-based login to a Drupal site. That is, an unauthenticated phone number sends a text to the Drupal site. A user account with the phone number as the username is created, and a text sent back to the user. This includes short instructions, a URL, and a passcode to "activate" the account.
This should probably be written up as a separate feature request, but wanted to provide context. This particular feature would be only to verify a phone number with an existing account.
#2
I found that there is some of this functionality already built in but it needs some UI work. We need to change the wording of the message sent to include its originating URL. Right now it says 'Use the code 5930 to confirm your mobile number' and it would be better to append something like '... at example.com/user/4/edit'. Boris also mentioned this here: http://drupal.org/node/258057
Also, the process for assigning a number to a user account is clunky and maybe a sprinkle of jQuery/AJAX could help that out a lot.
Finally, sms_user stores the mobile number in the user profile data blob which makes it very inefficient to match a user to an incoming number. Instead we should have a table to store the user id with the phone number so that we can then select the user directly (eg. we could query SELECT * FROM `sms_user` WHERE 'number' = 555-555-5555).
#3
+1 for storing the mobile number in a separate table instead of the user profile.
#4
Great ideas. I've started working on a patch for this. Should be ready within the next few days.
#5
Here is a patch that stores user number in a DB table instead of in $user->data. It also improves the UI surrounding the number confirmation process.
#6
I encountered a couple problems so far:
1. After I entered the confirmation number and hitting submit, my number was saved incorrectly as 2147483647. This number is the limit for a 32-bit signed integer... related? I tested this on both our development install and on a new installation of Drupal. Also, are we storing the number in the users table until it is validated? Why don't we just store this in another column of the sms_user table?
2. I got this error after submitting a new number:
warning: Invalid argument supplied for foreach() in /modules/smsframework/modules/sms_user.module on line 152.Everything worked correctly, but it's pretty ugly.
3. After submitting the confirmation code, the message "A message containing a confirmation code has been sent to your mobile phone. Please enter the code below." came up. This is unclear and probably comes down to the message being misplaced within your logic.
4. I think it is an improvement to have the authentication on a second tab but one of our usability guys wondered about calling it 'Mobile Settings' rather than just 'Mobile'. What do you think? Also, it would be good if the tab wasn't lost at the end of all the other tabs, can we have it next to 'Edit'?
5. I noticed that the hook_perm function was missing, eg:
function sms_user_perm() {return array('administer sms_user');
}
6. The authentication text messages still aren't clear enough as to their origin. Some other examples are:
Again, I think having either the site name or base URL like "Use the code xxxx to confirm your number on drupal.org" or "Use the code xxxx to confirm your number on http://drupal.org" would be valuable.
7. It might be complicated to code the UI for this now (and how the Messaging module will handle it), but I think it's important that we consider how multiple numbers can be attached to an account. A possible use case for this is an international traveller using multiple phones/SIM cards. Twitter doesn't support multiple numbers and I've heard this as a complaint. Facebook does store multiple numbers and has settings for each. I don't think we should worry about how this is handled from the frontend, but I think support for this should be built in from the start.
8. Is there a way we can automate the upgrade path? We already have about 25 users signed up with numbers entered, and if someone is using this on a larger production website we need to provide the necessary upgrade; something like hook_update(), http://api.drupal.org/api/function/hook_update/5
All in all I think we're on our way with solid improvements to sms_user. Sorry for the verbosity of this comment but wanted to get everything in one place.
#7
We went live with 3000 users, 2000 of them with mobile numbers.
An upgrade path would be highly appreciated.
(this is a big improvement. btw)
#8
New update with upgrade path is available. The upgrade path has been tested lightly. Please test it before using on a live site. Open a new ticket if there are issues. Thanks!
http://drupal.org/cvs?commit=125844
#9
Automatically closed -- issue fixed for two weeks with no activity.