Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should Veil expect the email address along with the verification string to complete authentication? #26

Open
armanm opened this issue Jul 15, 2020 · 0 comments
Open

Should Veil expect the email address along with the verification string to complete authentication? #26

armanm opened this issue Jul 15, 2020 · 0 comments

Comments

@armanm
Copy link

armanm commented Jul 15, 2020

I recently had to work on an auth solution using Firebase Password-less authentication which is why I'm curious to raise this question about Veil:

If you look at Firebases' security concerns they suggest that the verification string should always be accompanied by the email address at the time of sign in:

To prevent a sign-in link from being used to sign in as an unintended user or on an unintended device, Firebase Auth requires the user's email address to be provided when completing the sign-in flow. For sign-in to succeed, this email address must match the address to which the sign-in link was originally sent.

I'm curious what you think about this requirement and whether that's something Veil should support?
@armanm armanm changed the title Should Veil expect the email address along with the Base32 encoded request id to complete authentication? Should Veil expect the email address along with the verification string to complete authentication? Jul 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@armanm