Pushing this change now. You now have to click the login link with the same device that requested the link or it won't work.
If you want to login with your mobile device but have trouble accessing the link, then you can login on desktop and scan the QR code on your profile :)
If you want to login with your mobile device but have trouble accessing the link, then you can login on desktop and scan the QR code on your profile :)
https://twitter.com/kentcdodds/status/1445796935986597894
In case you're interested: github.com/kentcdodds/ken…
Like I said. I originally had this in place, but gave in when people complained about being able to use the login link on a different device. That was the wrong choice.
Like I said. I originally had this in place, but gave in when people complained about being able to use the login link on a different device. That was the wrong choice.
Now even if someone gets your login link, they won't be able to login for you because the link won't work!
lol, just realized that if someone *did* manage to get your login link all they would need to do is request a login link for your email address and they'd be able to get in.
Going to add another bit to the link payload that's a randomly generated ID to side-step this :)
Going to add another bit to the link payload that's a randomly generated ID to side-step this :)
Oh, actually, I already store the whole magic link in the HTTP-only session cookie, so I'll just use that to verify you're the one who requested the one you're clicking. :)
Here's that (also improved some other error messages as well as the experience of using the site while we're waiting for you to click the magic link): github.com/kentcdodds/ken…
Deployed. Here you go. Try to login to my account: kentcdodds.com/magic?kodyKey=…
(If you do somehow manage it, please email me 😅)
(If you do somehow manage it, please email me 😅)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
