|
|
|
|
|
|
by diggan
619 days ago
|
|
|
> if your email provider attempts to scan urls to see where they actually go you end up giving them an auth token This is what the "change the temporary token for a "permanent" token they (the frontend) can use for authentication" part is for, as it'll require a browser to visit the page so the token can be set in the frontend after making the "switch" with the authentication backend. The tokens get invalidated when used. Regarding abuse, there is a lot of other things around the design itself that has to be considered that I didn't mention. Rate-limits, validation, verification, operations and other things feel kind of besides the meat of the pattern. Otherwise we'll end up with very long comments :) |
|
|