Find alternative method to link verification in email

[mihed]

We need to find an alternative method instead of clicking a link in an email.

Basically, GET / HEAD requests must be idempotent (non-state changing). Reason:

• Email security scanners (like google and others) usually opens these links to validate if an email is secure or not
• Browser or client sniffing

Suggestion:

• We are required to hold all the organization's email addresses in Google Contacts, thats how we're sending info emails.
• Enable the contacts API in gcloud and check that the registered user is one of those contacts. Thus, no need for email verification.

[chickenTurtle]

"Basically, GET / HEAD requests must be idempotent (non-state changing)." - they are, you have to click a button which makes a post to the API

if we already have all emails in google contacts thats an easier solution

[mihed]

It's not really relevant anymore if you've decided to go for the contacts option anyways.

(remark: clickable magic links are considered legacy in the sec community, that's what I was going at since their lack of idempotency. But this was maybe never an issue if you had to click a button after going after the link. dunno how it was).