DEV Community


Discussion on: Implementing Passwordless Authentication in Node.JS

bigbott profile image

The attacker steals the mailbox and gets access to all applications/websites.

I think the best way is a custom stateless JWT that contains encrypted userID and timestamp and included in the request as both Cookie and a part of the request body (JSON). The server then compares JWT from Cookie and JSON and if they match -- keeps the user logged in and retrieves needed info from DB with userID.

Forem Open with the Forem app