search

florianheinemann / passwordless

node.js/express module to authenticate users without password
MIT License
1.95k stars 129 forks source link

Prevent users figuring out which emails are accepted? #127

Open jhackett1 opened 5 years ago

jhackett1 commented 5 years ago

For the passwordless.requestToken() method, is there a recommended way to:

  1. accept any email and send the user onto a "check your email" message in every case
  2. then, silently look up the email and only send a token if the email is found. if the email is invalid, nothing happens

I don't want to give users a way to figure out which email addresses are valid from the interface, but following the example code, an invalid email gives a 401 unauthorised error.

I've settled for sending successRedirect and failureRedirect to the same view for the moment:

router.post("/login", passwordless.requestToken(authController.sendMagicLink, {
    successRedirect: "/login/check-email",
    failureRedirect: "/login/check-email"
}))
router.get("login/check-email", authController.checkEmail)