Email -> Magic Link Login 🔗 #223
Comments
nelsonic
added
enhancement
|
As a technical tool, I love magic links. They're very cool. As a layman user of apps I personally am not a fan of magic links as I have seen them historically implemented from UX perspective. I used to use them back in my slack days (4 years ago) and they were cool the first time, annoying the rest. I'm annoyed by having to go back to my email when trying to log into an app and especially so when I have to request magic links for multiple different devices (usually they expire after one click) and having to do this process continually across all devices when the login expires after a few months is frustrating. I already have password management in place (and these days, most people do in their browsers anyway) and this messes with that system. I also can never remember which email address I signed up to something with but this could still be managed by the password manager so is less of an issue. Interested to see if I'm in the minority and magic links are all the rage! |
|
@iteles I feel that Magic Links are a UX-bandaid 🩹 more than a long-term solution to the auth challenge. 💭 But this issue is open for feedback and if enough people [that will pay to use the |
|
For mobile devices, I heard that 3/4 of people don't have an email address .... so depends on your target. Indeed, OAuth is the way to go I believe, but one giant is missing, Facebook. I looked at it the other day and did not completely understand nor had the patience to implement the server-side process🙄. If you are interested, I will try it asap. |
|
We are keen on helping people migrate off Otherwise let's keep the discussion of this thread specific to Magic Links. 🔗 🪄 👌 |
|
You are wise🤔. I believe passwordless is straightforward: a signed token based on a user_id (new_or_create) which is saved with "pending" status and on reception to an endpoint, the query string contains a token and is verified for the signature and decoded and a lookup at the user_id to check for the token, and if ok, generate a new one, save it and pass status "confirmed". I made something like this for my little app. |
|
Do you permit |
|
Was recently reminded of the "right" way of doing
This is the approach we will be taking. "Never click links in email" ~ https://www.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips |
|
You may be right about these evil links.🙄 At this moment, I have plenty of fake emails with links to follow coming from fake accounts such as DHL, UPS etc... Sending a code via email makes the code slimmer compared to the magic link; you don't have the extra endpoint with the URL parsing step. You only need to insert a tuple "email, code_sent" into the DB and store the active email in the session, don't you? How does this work for mobile where you don't have a session? |
|
Passkeys: Probably something to watch: https://hexdocs.pm/webauthn_components/readme.html |
|
Definitely. One to watch. https://webauthn.guide |
|
|
|
Yeah, watched that a while back. still very much "beta" though ... |
As noted by @ndrean in dwyl/learn-postgresql#84 (comment) 💬
We don't currently have the concept of Magic Links in this project. 🪄
My reasoning was that we don't want people clicking links in email because it promotes
Phising... 🙄But we
doalready have email verification.e.g: templates/verify.txt#L6-L7
Todo
gen.authphx.gen.auth ? #133 -> Proposal: RebuildAuthApp usingmix phx.gen.authwhenPhoenix@1.7Ships #207P.S: Just tried the
emailsend function and it still all works. 🤯I probably shouldn't be surprised because nothing has changed and it worked fine last time I checked ... ⏳ 💭 😜
The text was updated successfully, but these errors were encountered: