Skip to content

Add magic link authentication for secure passwordless login#17

Merged
Neverdecel merged 1 commit intomainfrom
feature/magic-link-auth
Jan 25, 2026
Merged

Add magic link authentication for secure passwordless login#17
Neverdecel merged 1 commit intomainfrom
feature/magic-link-auth

Conversation

@Neverdecel
Copy link
Owner

@Neverdecel Neverdecel commented Jan 25, 2026

Summary

  • Replace insecure direct email login with magic link authentication flow
  • Users now receive a login link via email instead of being logged in immediately
  • Prevents unauthorized access - only the email owner can complete login

Changes

File Description
models/verification.py Add MAGIC_LINK token type to enum
services/verification.py Add magic link methods (create, verify, rate limit) with 15-min expiry
api/onboarding.py Replace login endpoint, add /api/auth/magic/{token} verification
templates/login.html Two-state UI: email entry → check email with countdown/resend
static/style.css Styles for new login page states

Security Features

  • Single-use tokens: Consumed immediately on verification
  • 15-minute expiry: Short window limits exposure
  • Hashed storage: Raw token never stored in database
  • Rate limiting: 60 seconds between magic link requests
  • No email enumeration: Same response for existing/non-existing emails

Testing

  1. Navigate to /login
  2. Enter a registered email → shows "Check your email" state
  3. Click magic link in email → redirected and logged in
  4. Click same link again → shows "invalid" error
  5. Enter non-existent email → shows same success message (no enumeration)

DevOps Notes

No infrastructure changes required. Uses existing:

  • Verification tokens table (same as email verification)
  • Resend email service
  • No new environment variables needed

Add magic link authentication for secure passwordless login
b0dc684 
Replace insecure direct email login with magic link flow:
- Add MAGIC_LINK token type to verification model
- Add magic link methods to VerificationService (create, verify, rate limit)
- Modify POST /api/login to send magic link email instead of creating session
- Add GET /api/auth/magic/{token} endpoint for token verification
- Update login template with two-state UI (email entry + check email)
- Add branded HTML email template for magic links

Security: single-use tokens, 15-min expiry, hashed storage, rate limiting,
no email enumeration (same response for existing/non-existing emails)
@Neverdecel Neverdecel merged commit e207353 into main Jan 25, 2026
1 check passed
@Neverdecel Neverdecel deleted the feature/magic-link-auth branch January 25, 2026 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Neverdecel