| ▲ | johtso 9 days ago | ||||||||||||||||
Wouldn't that be incredibly insecure? Attacker would just need to initiate a login, and if the user happens to click the link they've just given the attacker access to their account.. The reason why magic links don't usually work across devices/browsers is to be sure that _whoever clicks the link_ is given access, and not necessarily whoever initiated the login process (who could be a bad actor) | |||||||||||||||||
| ▲ | dspillett 9 days ago | parent [-] | ||||||||||||||||
> Wouldn't that be incredibly insecure? If done naively with a simple magic link, yes. > and if the user happens to click the link they've just given the attacker access to their account Worse: if the user's UA “clicks the link” by making the GET request to generate a preview. The user might not even have opened the message for this to happen. > Wouldn't that be incredibly insecure? It can be mitigated somewhat by making the magic link go to a page that invites the user to click something that sends a post request. In theory the preview loophole might come into play here if the UA tries to be really clever, but I doubt this will happen. Another option is to give the user the option to transfer the session to the originating UA, or stay where they are, if you detect that a different UA is used to open the magic link, but you'd have to be carful wording this so as to not confuse many users. | |||||||||||||||||
| |||||||||||||||||