Ability to use Email provider without a database #9085
MikeDupree
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Goals
Allow for passwordless login (magic link) via Email provider without requiring a database.
This means there would be no mechanism for 1-time use of the magic links. However, with a short expiry time, this shouldn't be an issue.
generateVerificationToken
sendVerificationRequest
useVerificationToken
Non-Goals
No response
Background
With the current architecture, the developer is forced to integrate a database in order to handle 1-time use of the magic links.
This ties a developer's hands if they want to implement next-auth's email provider.
From a security standpoint there's little reason to enforce implementers to use 1-time login links, with proper expiration the window to use the magic links is pretty low unless insecure tokens are generated. Not to mention someone still needs access to that user's email in order to access the magic link.
This is achievable in next-auth's current state by removing the hashing of the token prior to passing it along to
useVerificationToken
The hashing I'm talking about happens here: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/routes/callback.ts#L200C6-L200C6
Proposal
Add a config that allows developers to opt out of the token hashing allowing them to store data in the token and decode it within
useVerificationToken
. By making this change a developer can create a timestamp and create a JWT from the data, the developer can then decode that data withinuseVerificationToken
and return the expiry as needed.By making it opt out you keep default security and allow developers more control of their Email provider setup.
I am willing to contribute if this is an acceptable change.
Beta Was this translation helpful? Give feedback.
All reactions