Answer the question
In order to leave comments, you need to log in
Are there errors in my magic link authentication scheme?
I want to implement passwordless authentication on a site with JWT authorization. I use Experss as a framework.
Now I see the following scenario:
1) On the login page, the user enters his e-mail;
2) Checking in the database if there is a user with this e-mail.
3) If the user is found, update the refresh token and send a link with this token to the user's email.
4) The user follows the link. Check the validity of the refresh token.
5) If the refresh token is valid, then a) renew the refresh token b) issue a jwt token
6) Send a new refresh and jwt tokens to the client.
That is, the refresh token is sent to the user by email in clear text, but lives until the first click on the link. Refresh tokens are supposed to be valid for 15 days, but for those sent by email, you can set an expiration date of several hours.
How effective is this option for a site with medium security requirements? That is, there is no way to withdraw money from the user's balance in a matter of minutes.
In any case, this is my first attempt to implement authentication from scratch and understand how it works. Therefore, I will be grateful for any help.
PS While I was preparing the question, I thought that as an additional security measure, you can hash the refresh token before embedding it in the url.
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question