Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Embed user information in the magic link with FE validation

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-11-15

Context and Problem Statement#

We've decided we need to show user information on the passwordless sign in/up screen if it's not the same device/browser that started the sign in process. We need to decide where that information is coming from and how it's validated.

Considered Options#

  • Fetched from API by preAuthSessionId
  • Embedded in the link - validated during consume
  • Embedded in the link - validated in the FE

Decision Outcome#

Our choice: Embedded in the link - validated during link consume

Pros and Cons of the Options#

Fetched from API by preAuthSessionId#

We could also force the FE to fetch this information (by changing the flow of link consumes), but that still doesn't ensure that this information is actually used for validation/shown to the user.

  • Can also check link validity
  • Has to be fetched before UI shows
  • Core change required - fetching contact info
  • Embedded in the link - validated during consume#

  • No API call before UI is shown
  • Enforces validation (more secure)
  • Link format changes
  • Core change required - second link version requiring validation (might be skippable)
  • Embedded in the link and validated by fetching from API#

    In this case we embed the contact info in the link which enables us to show the sign in screen but we can delay the consume (on the FE) until the validation info is fetched.

  • Can also check link validity
  • No API call before UI is shown
  • Link format changes
  • Validation info has to be fetched before consume
  • Core change required - fetching contact info