Support OTP (passwordless) login on Open Library login page

[mekarpeles]

Problem

Archive.org launched a new passwordless (OTP) registration flow. Since OL and IA share credentials via the xauthn API, users who register on archive.org via OTP receive a randomly-generated password by default. These users are currently unable to log into OpenLibrary — they would need to manually reset their password unless OL implements OTP login.

Proposal

Add OTP login support to OpenLibrary's login page using the ia-otp-form web component from internetarchive/elements (demo/docs), wired through the shared xauthn API.

Dependency

PR #11052 (xauthn scaffolding, related to #10262) must land before this work begins — it introduces the underlying xauthn verify/activate support that OTP login depends on.

Requirements Checklist

• Integrate ia-otp-form from internetarchive/elements into OL's login page
• Wire the OTP flow to xauthn (same API used by archive.org)
• Users who registered via OTP on archive.org can successfully authenticate on OpenLibrary
• No regression on standard password-based login

Stakeholders

• @jimchamp — lead (staff required)
• @rebecca-shoptaw — key stakeholder (built the OTP registration side on archive.org)

[mekarpeles]

This can be done in two ways:

Archive.org IFrame

Presumably this can be done the same way as ia-third-party-logins

openlibrary/openlibrary/templates/account/ia_thirdparty_logins.html

Line 5 in 95ca673

id="ia-third-party-logins"

openlibrary/openlibrary/plugins/openlibrary/js/index.js

Line 527 in 95ca673

const thirdPartyLoginsIframe = document.getElementById('ia-third-party-logins');

This would require the addition of an new archive.org endpoint e.g. https://archive.org/account/login.ia-otp.php that can be used via iframe to enable the OTP flow.

Implementing

Alternatively we could implement the endpoints etc using the raw lit component, add xauthn endpoints, handle failures, resending.

ia-otp-form web component from internetarchive/elements (demo/docs), wired through the shared xauthn API.

Though it seems like quite a bit of overhead when http://archive.org/ is the only org that can fulfill this OTP.

We'd also need to handle "resend" and I'm not sure if xauthn has this functionality, so then we'll have to wait for @jimbonator

[mekarpeles]

Implementation Plan

Approach: Native Lit component + @internetarchive/elements + xauthn

@internetarchive/elements is available on npm (v0.2.5) — no iframe, no copy-paste. We install it as a normal dependency and wrap it.

ia-otp-form is endpoint-agnostic (pure UI, no hardcoded URLs). It fires events and accepts status props — our wrapper handles all HTTP.

---

Backend

Two new xauthn wrapper methods in openlibrary/accounts/model.py (InternetArchiveAccount):

• issue_otp(email, service='ol') → calls xauth('issue_otp', ...)
• redeem_otp(email, otp) → calls xauth('redeem_otp', ...)

Two new endpoints in openlibrary/plugins/upstream/account.py:

Endpoint	Method	Description
/account/login/otp/issue	POST	Calls xauthn issue_otp; handles initial issue and resend (same endpoint — xauthn self-rate-limits at HTTP 429). Forwards X-Originating-IP.
/account/login/otp/redeem	POST	Calls xauthn redeem_otp; on success feeds returned S3 keys into existing audit_accounts() to set OL auth token + cookies. Returns JSON.

Note: existing /account/otp/issue and /account/otp/redeem are OL-internal (account activation via TimedOneTimePassword) — no conflict.

---

Frontend

npm install @internetarchive/elements

New openlibrary/components/lit/OpenLibraryOTP.js — two-step Lit component:

• Step 1 (email): email input + "Send me a code" button → POST /account/login/otp/issue
• Step 2 (code): renders <ia-otp-form> from @internetarchive/elements
  • codeSubmitted event → POST /account/login/otp/redeem → update validationStatus
  • newCodeRequested event → POST /account/login/otp/issue again → set newCodeSending
  • Success → redirect to /account/books

Hosted in <ol-popover> (existing OL Lit modal component). Trigger button styled to match IA's ia-button.

Login template (openlibrary/templates/login.html): add <ol-otp-login> element below existing form.

---

Dependency

PR #11052 (xauthn activate scaffolding) should land first; however the issue_otp/redeem_otp xauthn operations are independent and the OL account linking path via audit_accounts(s3_key, s3_secret) is already in place.

---

Files to change

• openlibrary/accounts/model.py — two xauth wrapper methods
• openlibrary/plugins/upstream/account.py — two new endpoints
• openlibrary/components/lit/OpenLibraryOTP.js — new wrapper component
• openlibrary/components/lit/index.js — register new component
• openlibrary/templates/login.html — add trigger element
• package.json / package-lock.json — add @internetarchive/elements