So the usual flow for magic link is:
- User clicks on the link in their email (e.g. https://ift.tt/2nZRJ4Q)
- Page is opened in the email’s in-app browser.
- Token is stored in the in-app browser’s local storage and token is removed from the URL (either by redirection or some other method).
- User is logged-in (in the in-app browser).
The problem happens if the user then clicks the “Open this app in Safari” (or another browser) in a mobile's in-app browser. The user will be logged-out since the local storage state is not carried over and the token was already removed from URL parameter. Unless the token is present as a query / parameter on every page URL which is unsecure and defeats the purpose of using local storage.
What is the best solution for this use case without providing a typical login flow (username/pw)? (Or is that the only way?) Seems like you cannot browse any app in iOS using a magic link via an actual browser app since the magic link will always come from your email app (and hence, will always be opened using the in-app browser).
from Problem with magic link in iOS when opening within mobile in-app browser
No comments:
Post a Comment