|
|
|
|
|
|
by mooreds
618 days ago
|
|
|
> It just feels brittle and if your email provider attempts to scan urls to see where they actually go you end up giving them an auth token and by the time the user clicks the link it's invalidated (or you don't invalidate the link at all which is worse). At my current employer (an auth vendor) we ended up changing our magic link behavior to require a post from the user to log in because of this issue (the scanners didn't get an auth token, but they did invalidate the one-time code and confuse end users to no end. If you want more details, there is some discussion here: https://github.com/FusionAuth/fusionauth-issues/issues/2443 and on the related issues. |
|
|