Closed iokiwi closed 1 year ago
@ankitgadling you could pick this one up too
can you please explain it in detail
Yes. For this app we use Magic Links for signup / login instead of using a username and a password.
This makes life easy for us as we don't need to build 2fa or password reset or password security policies.
However, anyone who gets hold of a magic link, can use it to into your account (within 5 minutes - then the link expires). This is an attack vector for phishing and scamming.
A scammer who knows your email address and phone number might type your email address into the login form.
An email will get sent to your with a magic sign on link.
The attacker might then phone you up and ask you to send them that link - they will try to trick you or convince you that its important or that its safe to send them that link.
They might tell you they work for us, or they are a friend or a colleaguge, or law enforcement, or a financial guru who can make you rich if you give them access.
So we should make it explicitly clear to the user that they should NEVER share their magic link with ANYONE under ANY circumstances.
We should add information to the body of the email explaining to the user that:
The body of the email is generated in the def send_email(user, link):
function in
https://github.com/iokiwi/moneyapp/blob/main/app/users/views.py
I am available to work on the issue could you please assign me this issue
Let me know if you have any questions
Hi @iokiwi I have added the warning in the body of email let me know if any changes are needed
It's perfect. Raise a pr and I will merge it in the morning
Magic sign up link should warn people about clicking on signup links they didn't request. This should be as simple as modifying the text in the send_email method
https://github.com/iokiwi/moneyapp/blob/main/app/users/views.py#L30-L43
Note that in Dev, we don't actually send email. Email will be printed to the console as configure by
settings.py
https://github.com/iokiwi/moneyapp/blob/main/app/moneyapp/settings.py#L74