https://supertokens.com/ logo
Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Powered by
Title
r

ronflai

02/09/2023, 10:40 AM
Hello guys ! Small questions regarding the passwordless flow. When a user do multiple login attempts and so received multiples login links in his email account, he can still click on the first generated link. Why the first link is not invalide ?
r

rp

02/09/2023, 10:43 AM
Hey @
Hey @ronflai
That’s unexpected.
The first link should be valid
We only revoke passwordless links if any one of them is successfully consumed or has expired.
r

ronflai

02/09/2023, 11:01 AM
@Hey @rp Thanks for the reply. Ok but if the user has requested 2 links within the same hour and he did not click on any oh those links, he can still click on the oldest one ?
r

rp

02/09/2023, 11:02 AM
Yes
r

ronflai

02/09/2023, 11:03 AM
and why ?
is there a way to invalide the old one even if he did not clicked on any link ?
r

rp

02/09/2023, 11:06 AM
Why - cause it’s a better UX
and yes you can invalidate the older one by overriding the create code function on the backend to fetch all the codes for the input email and revoke them.
@porcellus can help with code snippet if you tell us which backend SDK is being used.
r

ronflai

02/09/2023, 11:09 AM
Thanks for the answer @rp we are using the python passwordless sdk
p

porcellus

02/09/2023, 12:09 PM
hi
you can check here for information about overriding functions: https://supertokens.com/docs/emailpassword/advanced-customizations/backend-functions-override/usage
I'll come up with a code snippet shortly 🙂
So you'd need something like this: 
py
from supertokens_python import init, InputAppInfo
from supertokens_python.recipe import passwordless
from supertokens_python.recipe.passwordless.interfaces import CreateCodeOkResult
from supertokens_python.recipe.passwordless.interfaces import RecipeInterface
from typing import Union, Dict, Any

def override_passwordless_functions(original_implementation: RecipeInterface):
    original_create_code = original_implementation.create_code
    async def create_code(
            email: Union[None, str],
            phone_number: Union[None, str],
            user_input_code: Union[None, str],
            user_context: Dict[str, Any],
        ) -> CreateCodeOkResult:
        await original_implementation.revoke_all_codes(email, phone_number, user_context)
        return await original_create_code(email, phone_number, user_input_code, user_context)
    
    original_implementation.create_code = create_code
    return original_implementation

init(
    app_info=InputAppInfo(api_domain="...", app_name="...", website_domain="..."),
    
    framework='...', 
    recipe_list=[
        passwordless.init(
            contact_config=..., 
            flow_type="...", 
            override=passwordless.InputOverrideConfig(
                functions=override_passwordless_functions
            )
        )
    ]
)
this will call 
revoke_all_codes
when the user is starting a new login attempt.
Btw, you can also control how long the magic links are valid if that's the basis of this issue.
#support-questionsJoin Discord
Powered by