Fork me on GitHub
#web-security
<
2022-03-15
>
Drew Verlee04:03:31

Would it be possible and secure to have an email client (the email the user gets)to have logic to request a magic link to their email (they don't have to enter it again the client adds it). Then get the response and open link all such that the user just had to click the button once? The link they end up following with the token would expire so even if they shared it, then it wouldn't work. We have users that get enrolled in our system and we send them an email to let them login, but we don't want to send magic links that never expire. But it seems counterintuitive to send them to our app from the email, then have them go back to there email, to get the magic link.

jumar06:03:59

I'm confused. Could you rephrase your question and perhaps use concrete examples?

Drew Verlee07:03:46

You open an email, it has a button that when you click, it goes to a website. You share the button with your friend, when he clicks it, nothing happens. The button isn't a short lived, one time magic link itself, but it generates one each time you click the button and uses it to log you in. It doesn't work for your friend because their email isn't registered on the server to receive magic links/tokens. So while they can make the request, it will get denied.

Drew Verlee07:03:20

Like this example https://dzone.com/articles/how-passwordless-authentication-works#:~:text=Passwordless%20authentication%20can%20be%20implemented,code%20is%20created%20and%20stored. Only instead of a user going to an app and entering their email, we send them an email with the magic link generator button, bc we already know their intent to login.

Drew Verlee16:03:29

To answer my own question. No, you can't make ajax requests from most email clients.

1