important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Allow opening login urls on new devices

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:: proposed
Deciders:: rishabhpoddar, porcellus
Proposed by:: porcellus
Created:: 2022-10-25

Context and Problem Statement#

We need to decide if we want to allow logging in by opening links sent by email on a new device/browser (not the one that started the login process). The intended flow is to open the url on the device that started the login process.

Considered Options#

Disallow
Allow
Allow - require interaction
Allow - show info about the user on the FE and require interaction

Decision Outcome#

We've decided to allow sign in after the user is shown a screen where they can see the user they are logging into.

Pros and Cons of the Options#

Disallow#

Simple to explain/communicate

Other providers do this

Blocks the attack vector of forwarding/crafting a login link

We'd be removing functionality

Allow#

Keeps current functionality

URL scanners of email servers/providers may open and (sometimes) consume the link

An attacker could forward (or craft) a login link and trick a user into logging into their account (and steal their data)

Allow - require interaction#

Keeps current functionality

Requiring a button click blocks url scanners from consuming the link

An attacker could forward (or craft) a login link and trick a user into logging into their account (and steal their data)

Allow - show info about the user on the FE and require interaction#

Keeps current functionality

Requiring a button click blocks url scanners from consuming the link

The user can see the user they are logging into (email/phone number)

We need to validate/fetch user information on the FE

Still a possible vector for spear-phising