Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Title
e
engin
12/06/2022, 8:18 AMHi There!
I am interested in magic links. I am wondering if what I am trying to do is possible.
1. I invite a User to visit a page in my app by sending them a magic link
(Note, docs for this are missing: https://supertokens.com/docs/passwordless/common-customizations/generating-magic-link-manually)
2. The URL will be of the form https://myapp.com/[magic]
3. The page is available to anybody with the magic link (in theory only the person who receives my invitation)
4. The link needs to expire after 24 hours or maybe 48 hours
5. The page/route with the magic link is visible, but NO OTHER page/route should be visible (i.e. it is not the same as authenticating to the app)
6. The regular passwordless (using email) should continue to grant general access to the app, so only the magic link is a bit different
What do you think about this approach? Does my explanation make sense?
Can I do this with SuperTokens, or do I need to roll my own guard for this special route?
Or, is there a better way to show only one page / route in my app using a magic link only with SuperTokens?
Thanks!
=David
r
rp
12/06/2022, 8:31 AMhey @engin
you can do this with supertokens.
In order to generate the magic link, you need to call the backend function (createCode: https://supertokens.com/docs/nodejs/modules/recipe_passwordless.html#createCode-1) with the email as the input.
this would return a magic link code and a preAuthSessionId using which you can make your own magic link and send it to the user.
When the user clicks on it, you can call the consume code API from the frontend with the linkCode and preAuthSessionId from the magic link to log the user in
I don't quite understand point number (5) in the above description though.
e
engin
12/06/2022, 8:40 AMHey @rp thanks!
Regarding point #5... Let's say my app has 2 "regular" routes, and 1 "magic" route:
Route a: /regular-route-a/maybe/has/sub-routes/too
Route b: /regular-route-b/maybe/has/sub-routes/too
These make up the “regular” pages in my app, which of course require authentication.
There is also a “magic” route, which is not authenticated. It is “secured” in that only the person who knows the magic link can access it:
Magic route: /[magic secret]/maybe/has/sub-routes/too
So “authenticating” and “knowing the magic link” are really two different things.
Does that make sense?
r
rp
12/06/2022, 8:49 AMAh right. So in that case, you should still guard those magic routes with the session guard - just like the regular routes.
But in the session that is created for the magic link user, you can add something in their access token payload like "isMagicLinkUser: true" and check on the frontend that this boolean exists in the payload and only if it does, should you show the magic routes.
This can be done by overriding the createNewSession function on the backend and reading the request object (from input.userContext._default.request) to read the origin header path. If the path is the magic link one, then add this boolean to the session's access token payload before calling the original impl
e
engin
12/06/2022, 8:55 AMOk, I'll give that a try. Thanks!!
Just to be clear...
Are you talking about this?
url: '/signinup/code/consume',r
rp
12/06/2022, 11:42 AMSo that’s the api which the frontend calls
For consuming the link code
Does regular login also happen using magic link?
If not, then you can modify the access token payload based on if this is the path that’s being queried
e
engin
12/06/2022, 11:46 AMPerhaps it would be safer to use this?
> body: {
> linkCode: 'tYySg...',
> preAuthSessionId: 'AVFnk...'
> },I assume other requests won't have that body? So I could look for the "linkCode" and "preAuthSessionId" properties?
r
rp
12/06/2022, 11:49 AMOh yea. Sure. Can do
e
engin
12/06/2022, 12:48 PMIt looks like I need to send along some additional data when I execute
createCode()userContextr
rp
12/06/2022, 1:09 PMyou could use the preAPIHook function to add custom info to the request body
and then read that on the backend
i think the createCode function should have an options param which contains the preApiHook functino
e
engin
12/07/2022, 12:23 AMOk, thanks.
I am having a bit of trouble understanding preAPIHook from the docs. Is there an example somewhere I could see?
r
rp
12/07/2022, 4:03 AMWhich frontend SDK are you using?
e
engin
12/07/2022, 4:04 AMreact
r
rp
12/07/2022, 4:06 AMWhich recipe?
e
engin
12/07/2022, 4:06 AMThis is for the magic links, so I guess passwordless?
r
e
engin
12/07/2022, 4:07 AMOh, thanks! For some reason neither Google nor the search function on the site showed me that one. Cheers!
r
rp
12/07/2022, 4:07 AMHmmm. Weird
e
engin
12/07/2022, 4:08 AMProbably just a bad search query. I was using "preAPIHook".
I configured my app to use the preAPIHook, but the hook is not getting triggered. Any ideas what I could be doing wrong?
Note: in this app (subdomain), there is only supertokens-web-js and no supertokens-auth-react, but I assume that should matter, right?
r
rp
12/07/2022, 8:31 AMoh i see. So for web-js, the preAPIHook is part of the function call - there is an options input which contains that
e
engin
12/07/2022, 8:33 AMRight, that's what I thought, but I asked if you should show me an example, so I was trying to understand from the link you gave. 🤣
r
rp
12/07/2022, 8:33 AMi can send an example shortly.
e
engin
12/07/2022, 8:33 AMAwesome, thanks!! 😀
r
rp
12/07/2022, 8:47 AMI think this may work:
Passwordless.createCode({
email: "...",
options: {
preAPIHook: async (context) => {
let requestInit = context.requestInit;
let bodyStr = requestInit.body?.toString();
if (bodyStr !== undefined) {
let body = JSON.parse(bodyStr);
body = {
...body,
"customKey": "customValue"
}
bodyStr = JSON.parse(body);
}
context.requestInit.body = bodyStr
return context;
}
}
})e
engin
12/07/2022, 11:15 AMThis was VERY helpful. Thanks!
Strange question, perhaps, but what is the "secret" or "magic" part of the magic link?
The query part of the URL is something like:
?rid=passwordless&preAuthSessionId=xZri2I9tmjtyibDxoEsobH3ZVKfALRMuH29gO0dvlqU=#tXCnql1-v3QoSliniHhU2kbQTbMuz0k7LKFijzGzDwQ=r
rp
12/07/2022, 11:15 AMyup
the part after the "#'"
e
engin
12/07/2022, 11:15 AMCool, thanks!