The current 5 char generated code can be brute forced, if it were possible to make it a lot longer / overrideable it would be possible to use magicLogin in a way that doesn't require the clicking of the link on the same device.
Something like this:
send = (req: Request, res: Response,code?: string): void => {
const payload = req.method === 'GET' ? req.query : req.body;
if (
req.method === 'POST' &&
!req.headers['content-type']?.match('application/json')
)
{
res
.status(400)
.send('Content-Type must be application/json when using POST method.');
return;
} if (!payload.destination) {
res.status(400).send('Please specify the destination.');
return;
}
if (!code){
code = Math.floor(Math.random() * 90000) + 10000 + '';
}
The current 5 char generated code can be brute forced, if it were possible to make it a lot longer / overrideable it would be possible to use magicLogin in a way that doesn't require the clicking of the link on the same device.
Something like this: