The idea is great and the instructions clear and easy to follow for a quick integration.
(the localhostmagicsquared.net workaround is a brilliant idea)
But I see you are using RS256 and that makes me think of a security issue. Since you are the only one having the private part of the key pair, you could (in the future) log in as any user on any website that uses magicsquared.net since you can generate properly signed JWTs with any possible content.
I understand that this allows for less friction (and thus, more magic) but I think it is a serious problem in case of a breach or malicious intent.
Does anyone know of a way to solve this in a more secure way without adding too much friction?
I don't think this problem is solvable. The server must be able to generate signed JWTs, so if you have access to the server, you'll be able to do that. The cryptographic details don't matter.
Tried the demo. Took forever to deliver the email (still haven’t received it yet)
We built an in-house solution for this and the biggest issue was bots opening the link. You will be surprised by the number of bots / email providers opening your links. Sometimes after just a few minutes, sometimes hours later. So even with a short expiration, there’re still cases where bots are faster than humans.
We had to implement a crappy algorithm to detect if a request is authentic. So far it works and no complaints from customers yet.
I just tried requesting the email again and got it immidiately. Could you check your spam folder? And if you find it there, mark it as "not spam"?
Bots opening links shouldn't be a problem, because MagicSquared sets a cookie when you request an email to ensure that you can only verify your email from the device that you requested it with.
7 comments
[ 3.0 ms ] story [ 21.3 ms ] threadBut I see you are using RS256 and that makes me think of a security issue. Since you are the only one having the private part of the key pair, you could (in the future) log in as any user on any website that uses magicsquared.net since you can generate properly signed JWTs with any possible content.
I understand that this allows for less friction (and thus, more magic) but I think it is a serious problem in case of a breach or malicious intent.
Does anyone know of a way to solve this in a more secure way without adding too much friction?
We built an in-house solution for this and the biggest issue was bots opening the link. You will be surprised by the number of bots / email providers opening your links. Sometimes after just a few minutes, sometimes hours later. So even with a short expiration, there’re still cases where bots are faster than humans.
We had to implement a crappy algorithm to detect if a request is authentic. So far it works and no complaints from customers yet.
Bots opening links shouldn't be a problem, because MagicSquared sets a cookie when you request an email to ensure that you can only verify your email from the device that you requested it with.