[email provider] invalidate previous login links #779
Comments
|
Thanks for raising this feature! I think this is a good suggestion and we should take it into account when working on the email provider - probably adding it at the same time as we look at rate limiting and/or adding support for short validation codes (in addition to the links). |
|
In #2361, I am going to make it required for the adapter developers to delete the previous token used for signin in their , no matter if the signin was successful or not. This means that in case of an error, a user must receive a new email with a new link as the old will be invalidated/gone. See next-auth/src/server/routes/callback.js Line 182 in 79b3ab7 If I understand the proposal here, that, should be addressed in that PR. |
|
that sounds great! |
|
This has been released in |
Summary of proposed feature
Any call to signIn function/REST API endpoint of the email provider should invalidate any previously created login link.
Purpose of proposed feature
The goal is to increase the security level of this provider.
Potential problems
I can't see any issue with that change proposal
Describe any alternatives you've considered
I can't find any alternative
Additional context
This is a recommendation from a security auditor based on WASP guidelines.
I am a bit busy right now but later I could try to implement it myself if the feature is accepted
The text was updated successfully, but these errors were encountered: