Voting starts in March for the Drupal Association Board election.
The Pincode Login module provides facilities for automatically creating users that can login using a four digit pin code. (Project page)
This module primarily meant to be integrated using the Rules module (http://drupal.org/project/rules). But it is also possible to utilize the pincode_login_register() function through code.
Integrating using Rules
Pincode Login module Exposes a rules action named Generate a new user with pincode login.
This action takes two arguments:
- User name
- E-mail adress
The way the Pincode loging module generates users bypassed validation of mail adresses (and possibly user name uniqueness). Thus, you have to validate these yourself before passing them to the action.
Note: As the pincode will be the ID of the new user, dummy data can safely be used for Username and e-mail adress values. The only concern is whether these values needs to be unique. I have not experimented with values that are not unique.
The action returns two new variables to Rules:
- Newly created user object
- Pincode of newly created user
Using these variables, rules can assign roles to the created users, giving them the access they need (and not more!)
The pincode is the only piece of data the user needs to log in. This can be distributed by e-mail, sms, or any other mean you can think of.
The Pincode Login module also provides various utility actions for working with users and pincodes:
- Load a user object from pincode
- Load a user object from username
- Get pincode from User by user ID
- Change email adress of a user
Integration through code
To register a new user use the
pincode_login_register($username, $mail) function
Argruments are the same as for the Rules integration, and the same concerns apply.
The function returns an array of the newly created user object and the pincode for this user.
return array('pincodeuser' => $account, 'pincode' => $pincode);
For more details please browse the code
End user usage
The Pincode Login module provides a login page (pincode/login), and a login block.
No default redirect is provided out of the box after successful login. I recommend using the Rules module for redirecting the user to a desired page after logging in.
This module uses Drupals external login API to BYPASS Drupals login security!!
This module is LESS secure than Drupals standard login.
As this module provides login through a 4 digit pincode only, brute force attacks can be a real issue.
To slow down such attacks the pincode login module limits the number of failed login attempts to three pr IP adress. When the treshold for number of failed logins are reached for an IP adress, a delay of 15 minutes is enforced before the next login attempt is allowed for the IP adress.
These measures makes brute forcing tedious using a single point of attack. Or requiring the like of a bot network to quickly break in.
But even with these measures, the pincode login module is still less secure than Drupals standard login mechanisms.
Knowing these limitations and dangers, if you limit the permissions of users logging in with a pincode, nothing too bad will happen to you. A typical scenario for using this module would be a resource to be made available for a short time, where you don't want to bother the user with another registration process. User creation is automated, and all you need from the user is a mean of distributing the Pincode. This could be e-mail or sms or any other mean.