Implement a token login system to replace passwords

src/login.py

@@ -39,67 +39,30 @@ class HFFriendlyGSheetsConnection(GSheetsConnection):
 conn = st.connection("gsheets", type=HFFriendlyGSheetsConnection)
 
 
-def get_user_id_from_email_if_exists(email: str) -> int:
-    # returns -1 if id not found
-    df_email = conn.read(
-        worksheet="users",
-        usecols=[0, 1],
-        ttl=3600,
-    )
-    df_email = df_email[df_email.email.notna()]
-    for row in df_email.itertuples():
-        if row.email.lower() == email.lower():
-            return row.id
-    return -1
-
-
-def get_password_from_user_id(user_id: int) -> str | None:
-    try:
-        df_pass = conn.read(
-            worksheet=f"user-{user_id}-password",
-            usecols=[0],
-            ttl=1,
-        )
-        return df_pass.password[0]
-    except Exception:
-        return None
-
-
 def check_password():
     """Returns `True` if the user had a correct password."""
 
     def login_form():
         """Form with widgets to collect user information"""
         with st.form("Credentials"):
-            st.text_input("Email", key="email")
-            st.text_input("Password", type="password", key="password")
+            st.text_input("Login token", type="password", key="password")
             st.form_submit_button("Log in", on_click=password_entered)
 
     def password_entered():
         """Checks whether a password entered by the user is correct."""
-        # check if email exists
-        if user_id := get_user_id_from_email_if_exists(st.session_state["email"]):
-            if password := get_password_from_user_id(user_id):
-                if hmac.compare_digest(
-                    st.session_state["password"],
-                    password,
-                ):
-                    st.session_state["password_correct"] = True
-                    st.session_state["logged_in_user"] = user_id
-                    del st.session_state["password"]  # Don't store the email or password.
-                    del st.session_state["email"]
-                    del password
-                    return
+        # check if token exists
+        if login_by_token(st.session_state["password"]):
+            return
         st.session_state["password_correct"] = False
 
-    # Return True if the email + password is validated.
+    # Return True if the token is validated.
     if st.session_state.get("password_correct", False):
         return True
 
     # Show inputs for email + password.
     login_form()
     if st.session_state.get("password_correct", True) is False:
-        st.error("😕 User not known or password incorrect")
+        st.error("😕 Token incorrect")
     return False
 
 
@@ -120,3 +83,20 @@ def save_user_team(team_selections):
         worksheet=f"user-{user_id}-roster",
         data=pd.DataFrame(team_selections, index=[0]),
     )
+
+
+def login_by_token(token: str):
+    # returns true if logged in successfully
+    df = conn.read(
+        worksheet="user-tokens",
+        usecols=[0, 1],
+        ttl=3600,
+    )
+    df = df[df.token.notna()]
+    for row in df.itertuples():
+        if hmac.compare_digest(row.token, token):
+            user_id = int(row.id)
+            st.session_state["password_correct"] = True
+            st.session_state["logged_in_user"] = user_id
+            return True
+    return False

src/shared_page.py

@@ -2,6 +2,7 @@ import os
 import streamlit as st
 
 from queries.nflverse.github_data import load_assets_if_no_tables
+from login import login_by_token
 
 
 def get_local_style():
@@ -15,6 +16,13 @@ def local_css():
     return st.markdown(get_local_style(), unsafe_allow_html=True)
 
 
+def login_token_arg_if_exists():
+    url_params = st.experimental_get_query_params()
+    if arg_token_list := url_params.get("token"):
+        login_by_token(arg_token_list[0])
+
+
 def common_page_config():
     local_css()
     load_assets_if_no_tables()
+    login_token_arg_if_exists()