Open martinblostein opened 2 years ago
The problem is that when visiting the mail from a different device (which is very common) the cookie will not be present and the mail will need to be provided by the user itself again.
it feels awkward to ask for the mail right after asking it a second ago but I understand the importance of this.
I’ll try to find some time to fix this.
From here: https://firebase.google.com/docs/auth/web/email-link-auth#security_concerns
This library does exactly this in the
sendOobCode
method. You can verify the issue by initiating sign in on one device and then completing it on another. This should not work--the user should be required to re-enter their email address in that case.