Magic Link Authentication with generates_token_for in Rails 7.1 Discussion
is magic link login considered secure ?
can it be used for a production website reliably ?
Thanks
As long as the tokens expire, are one-time use, and the user's email isn't compromised it should be fine. You'll still want to support 2FA through another mechanism for more security.
I much prefer email/password login so I can use a password manager.
Hi Chris,
How do you use CurrentAttributes in real world projects? as I read from several blogs that it's considered as harmful, so it's not recommended to use it.
So I want to know from your perspective regarding this.
Thanks
How are CurrentAttributes implemented in practical projects? According to several blog posts, it is deemed hazardous and therefore its use is not advised.
I would therefore like to hear your perspective on this.
How can you mock this in an integration test where you need to be authenticated but you don't have access to session?
Please note that Microsoft Outlook (and possibly other email clients) will pre-fetch the link and execute a get request and INVALIDATE THE TOKEN prior to the recipient having a chance to click on the link!
I spent some time troubleshooting this issue and I think it is worth mentioning in the video or the video notes. My solution was to add an additional step where the user needs to click on a button and confirm the login action with a POST request.
Another solution is to have the token allow multiple logins but this is much less secure.