Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

Magic links (passwordless email login) have non-obvious pitfalls beyond the standard best practices. Two key issues: (1) claiming the link on a GET request is dangerous because email clients and browsers may prefetch URLs, consuming the one-time code before the user sees it — the fix is requiring an explicit button click; (2) clicking the link in an email app's in-app browser logs in the wrong browser context — the fix is having the link only mark the code as 'verified' while the original tab polls and completes the login. The post also discusses entropy tradeoffs between magic links and short numeric codes.

Magic Link Pitfalls

Login the original tab, not the magic link tab