Funnily, I’ve had the most success with ‘secret links’ that grant admin rights for something (could be a special route or just a GET param)
Not secure, not best UX, but it’s so easy to do. 😊
writen by Kirill Rogovoy
what? Can you give an example on how you implement it?
writen by Tiago Ferreira
I’m doing that with http://Grundsteuereinspruch.online|Grundsteuereinspruch.online as well. It’s a randomly (true random) generated hash basically that is part of the URL. So you have to know the hash to access
writen by Benedikt
Yeah same with me.
In one app, it just a ‘special admin link’ that I send in the email. Once you open it, given that it’s valid, you get the admin cookie for 7 days. It’s just https://normal/url/?a=SECRET
writen by Kirill Rogovoy
It’s not totally insecure. More secure than many passwords
writen by Benedikt
You only need to make sure there’s not browser history entry with the secret string. I always call history.replaceState as soon as I kick off the auth process
writen by Kirill Rogovoy
I am still confused. So the user want to access their dashboard: 1- They click on login 2- Add their email 3- They get an email with a token: https://dashboard/token 4- They access to that dashboard
is that it?
writen by Tiago Ferreira
They get a specific URL
writen by Benedikt
You could also call it token, yes
writen by Benedikt
How do you prevent from it being indexed by google?
writen by Tiago Ferreira
No links to it
writen by Benedikt
what if the users links it somewhere not being aware that its public?
writen by Tiago Ferreira
Yeah well that’s the flaw. You could make it a new URL/secret wir every Login
writen by Benedikt
I guess you could add it to your robot.txt:
dashboard/*
writen by Tiago Ferreira
That as well
writen by Benedikt
Frameworks like Laravel do all the login scaffolding for you if you are looking to do a traditional login.
writen by Philip
I think I might go with firebase…
writen by Tiago Ferreira