https://supertokens.com/ logo
Title
f

FlyingFox

01/09/2023, 8:54 AM
Passwordless: clicking magic link on another device, how to detect valid login on original device? In my application I would like a user to login to my web SPA app on laptop, and have the ability for that SPA to sit and wait for the magic link to be clicked on any device/browser (not necessarily that machine or browser). When the magic link is clicked, I've overridden the
sendEmail
fn to redirect to
/auth/verify
on my API (not the frontend) so that a very basic (non-SPA) HTML page is served to conduct the
consumeCode
and validate the login, but of course the cookies end up on that device (eg. a phone browser). What is the best way to poll for the original login request on the original device and to then have the cookies for the authentication tokens sent to the original SPA, as if the consumeCode fn was called on the original browser? I'm thinking to use
consumeCodePOST
to mark my own DB with the user/preAuthSessionId as logged in, and have the original SPA poll my endpoint for validating that, but then how do I get supertokens to send the token data to the SPA in order that the user can become validated on that device? Many thanks for any advice.
r

rp

01/09/2023, 11:10 AM
hey @FlyingFox
@porcellus can help here
p

porcellus

01/09/2023, 11:12 AM
hi
I think the easiest way to achieve this is to call
createNewSession
in the polling endpoint
f

FlyingFox

01/09/2023, 11:14 AM
Thanks, I've just discovered this which might help: https://supertokens.com/docs/passwordless/migration/session-migration
p

porcellus

01/09/2023, 11:14 AM
also keep in mind that you'll end up with a separate active session on the device that clicked the link
yep, this is actually fairly close to what you need
f

FlyingFox

01/09/2023, 11:16 AM
It seems to work, my only question now is how can I extract the
preAuthSessionId
from the createCodePOST override so I can enter that in my DB against the submitted
email
?
r

rp

01/09/2023, 11:24 AM
@porcellus ?
p

porcellus

01/09/2023, 11:24 AM
Oh, I didn't see the notif, sorry
1 sec, I'll check.
the return value of the original
createCodePOST
should contain the
preAuthSessionId
also, I'm not sure if you should store this against the submitted email or if you even need to override
createCodePOST
you should instead override
consumeCodePOST
that saves the
userId
into your DB keyed with the
preAuthSessionId
in the polling endpoint you'd query this table to check if there is a record with the appropriate
preAuthSessionId
. If it exists you can create a new session and remove the record from your DB
f

FlyingFox

01/09/2023, 11:35 AM
Thank you, most helpful. I'm looking at this now
p

porcellus

01/09/2023, 11:41 AM
happy to help 🙂 please let me know if it works out
one extra thing: this will lower security a bit, since if someone is able to read your DB, then they could try and log in between
consumeCode
and the polling endpoint instead of the user.