Prefetching breaks “magic link” password-less login systems unless you take precautions
I’m a big fan of magic link authentication. It’s that UX pattern in which in order to login to a web application you simply plug your email into a form, and the server mails you a one-time use URL that you click to login. It is similar in function to them getting an email with a one-time-use code in it, returning to your app, and entering the code, but without having to actually perform those steps.
Implementing a magic link system in Rails can be done in as little as 20 significant lines of code, and I’ve done it on half a dozen personal projects over the last five years or so.
An important part of the implementation is to expire the underlying login token when it is used, to minimize the chances of a bad actor gaining unauthorized access by reusing the “magic” link.
This blog post is a reminder to my future self and others that the typical GET-based implementation for magic links is easily broken for users that happen to be using systems (such as Hotmail) that pre-fetch links present in email text.
The problem I’m describing will manifest itself like this:
- The user will try to login by entering their email address on your site
- The server will generate a token and send…
