DEV Community

loading...

Discussion on: Implementing Passwordless Authentication in Node.JS

Collapse
idrisrampurawala profile image
Idris Rampurawala

Nice article! Leaving about whether this method is safe or not, as already in discussion by our dev members, I want to highlight one thing here.

In /login API (snippet below), if an email is not found, then we should not tell the user that the email is not in our system. This is a security risk by which a hacker can identify valid emails in a system.

// Login endpoint
app.post("/login", (req, res) => {
  const email = req.body.email;

  if (!email) {
    res.statusCode(403);
    res.send({
      message: "There is no email address that matches this.",
    });
  }

  if (email) {
    res.statusCode(200);
    res.send(email);
  }
});
Enter fullscreen mode Exit fullscreen mode

Hence, /login API can just respond with something generic like, You will receive an email with the link if an account is found associated with this email. 😁

Collapse
andreasvirkus profile image
ajv

Excellent point to bring up! Same goes for signups. You should always say "You'll receive an email" and for existing emails, simply state that "Someone tried to sign up with us. If that was you - Log in here instead"

That way a malicious user/attacker can't enumerate the existing emails at a large scale

Collapse
karlkras profile image
Karl Krasnowsky

Yeah, I know this is the preferred "safe" response, but can be frustrating when you're "sure" that was the email (I have many) and don't get a response.
I would prefer an email be sent anyway with a message telling me that the email provided wasn't registered so at least I know the process is working.
I don't see a security problem with this approach? Though it may result in an increase of bounced emails from fat fingered entries.

Collapse
nanasv profile image
Nana aka y_chris

if I was a hacker, I should know from the message that my details is not, hence no email with some link.
so to me it's still the same.

Forem Open with the Forem app