important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Embed user information in the magic link with FE validation

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:: proposed
Deciders:: rishabhpoddar, porcellus
Proposed by:: porcellus
Created:: 2022-11-15

Context and Problem Statement#

We've decided we need to show user information on the passwordless sign in/up screen if it's not the same device/browser that started the sign in process. We need to decide where that information is coming from and how it's validated.

Considered Options#

Fetched from API by preAuthSessionId
Embedded in the link - validated during consume
Embedded in the link - validated in the FE

Decision Outcome#

Our choice: Embedded in the link - validated during link consume

Pros and Cons of the Options#

Fetched from API by preAuthSessionId#

We could also force the FE to fetch this information (by changing the flow of link consumes), but that still doesn't ensure that this information is actually used for validation/shown to the user.

Can also check link validity

Has to be fetched before UI shows

Core change required - fetching contact info

Embedded in the link - validated during consume#

No API call before UI is shown

Enforces validation (more secure)

Link format changes

Core change required - second link version requiring validation (might be skippable)

Embedded in the link and validated by fetching from API#

In this case we embed the contact info in the link which enables us to show the sign in screen but we can delay the consume (on the FE) until the validation info is fetched.

Can also check link validity

No API call before UI is shown

Link format changes

Validation info has to be fetched before consume

Core change required - fetching contact info