Auth0 requires users to reauthenticate after verifying their emails. That is the most secure approach; however, sometimes this policy does not align with the UX flow of customers that:
(a) want to enforce email validation as a registration step (b) want to allow customers to continue registration without re-authenticating after email verification
Here we propose a simple workaround using newly announced server-side passwordless
flow + /co/authenticate
to achieve above scenario.
Benefits of the following solution:
- Passwordless connection is only allowed to a companion registration, app and not to the main application
- Flows are simple. No complex Rules logic
- Database connection is closed to sign up. Users created only after successful email verify
- Magic link TTL is configurable (not limited to 20m as per Rules redirect model)
- If state/nonce check relaxed, solution works cross browser (T&C applied)
- MAU is low (only 1 additional Passwordless user for initial registration)
- Invisible CAPTCHA protected
- Higher rate limit for
/passwordless/start
- Works for both SPA and RWA companion apps
-
Add Management API with following scopes to your clients:
users:create
,users:delete
,users:read
-
(Optional) register a Google reCAPTCHA v3 account
-
Copy
env-sample
to.env
and update client information -
Copy
env.js-sample
toenv.js
and update client information
Clone the project first.
$ cat /etc/hosts | grep app1.com
127.0.0.1 app1.com
$ composer install
$ php -S app1.com:3001 -e
-
User visit http:https://app1.com:3001