namsral
commented
7 years ago Using an URL shortener may seem convenient but requires the Multipass service to keep more state which I like to avoid.
And more importantly, storing the tokens within an URL shortening service may seem convenient it compromises the login system security. Shortened URLs are predictable and guessable making it an easy target for attackers to extract login tokens.
Feature Request: An Internal URL shortener for loginURL's to make them suitable for short messages (eg: 160 char SMS). short url redirects to login token loginURL short url is deleted after first access or 60s etc.
I've implemented myself, but could not use the UserService Interface as it need to plugin to rootHandler and loginHandler to still be in /basepath/.
Also provides another layer of obfuscation of login tokens.