Funnily, I’ve had the most success with ‘secret links’ that grant admin rights for something (could be a special route or just a GET param)

Not secure, not best UX, but it’s so easy to do. 😊

writen by Kirill Rogovoy

what? Can you give an example on how you implement it?

writen by Tiago Ferreira

I’m doing that with http://Grundsteuereinspruch.online|Grundsteuereinspruch.online as well. It’s a randomly (true random) generated hash basically that is part of the URL. So you have to know the hash to access

writen by Benedikt

Yeah same with me.

In one app, it just a ‘special admin link’ that I send in the email. Once you open it, given that it’s valid, you get the admin cookie for 7 days. It’s just https://normal/url/?a=SECRET

writen by Kirill Rogovoy

It’s not totally insecure. More secure than many passwords

writen by Benedikt

You only need to make sure there’s not browser history entry with the secret string. I always call history.replaceState as soon as I kick off the auth process

writen by Kirill Rogovoy

I am still confused. So the user want to access their dashboard: 1- They click on login 2- Add their email 3- They get an email with a token: https://dashboard/token 4- They access to that dashboard

is that it?

writen by Tiago Ferreira

They get a specific URL

writen by Benedikt

You could also call it token, yes

writen by Benedikt

How do you prevent from it being indexed by google?

writen by Tiago Ferreira

No links to it

writen by Benedikt

what if the users links it somewhere not being aware that its public?

writen by Tiago Ferreira

Yeah well that’s the flaw. You could make it a new URL/secret wir every Login

writen by Benedikt

I guess you could add it to your robot.txt: dashboard/*

writen by Tiago Ferreira

That as well

writen by Benedikt

Frameworks like Laravel do all the login scaffolding for you if you are looking to do a traditional login.

writen by Philip

I think I might go with firebase…

writen by Tiago Ferreira