Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login by code ("Magic code login") and unverified email addresses #3853

Closed
violuke opened this issue May 28, 2024 · 2 comments
Closed

Login by code ("Magic code login") and unverified email addresses #3853

violuke opened this issue May 28, 2024 · 2 comments

Comments

@violuke
Copy link

violuke commented May 28, 2024

Thanks for the incredible feature in #3725 🙏

I've noticed that you can use the magic code even on non-verified email addresses. Is this intentional? Is this secure? It might well be considered secure, but I thought it was worth a discussion.

Cheers
@violuke violuke changed the title Login by code ("Magic code login") #3725 Login by code ("Magic code login") and unverified email addresses May 28, 2024
@pennersr
Copy link
Owner

An email address can be considered verified if you have demonstrated the ability to read emails sent to it. Clearly, if you can read login codes sent to the email address, that implies ownership of the address... so I really don't see an issue here.

If anything, things need to be changed so that an unverified email automatically gets verified when logging in by code.

@violuke
Copy link
Author

violuke commented May 28, 2024

Yeah, I think you're right, and I was jumping to the wrong conclusions. I appreciate the response 👌

@violuke violuke closed this as completed May 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pennersr @violuke