I’m trying to implement a passwordless email login strategy. Essentially, someone types in their email address and are then redirected to a form where they enter a 6-digit code they were emailed. They’re also emailed a magic link should they wish to click that instead.
I roughly understand the mechanics of how to implement this–create or update an email address->code mapping when the form is submitted, email the code, accept the code via form/link and delete it, and expire it after a short timeout. I’m just not clear how to implement it as an Ueberauth strategy. In the above, is the request phase:
- Someone typing in an email address, triggering the code to be generated and emailed (I.e. requesting the code.)
- Someone typing in a code or clicking a magic link, requesting a successful or failed authentication.
Either way, I gather the response phase is accepting the code from the user either via form or link, and either succeeding or failing to authenticate.
What I’m unclear about is that I’d seem to have two request phases here–a request for the email address, and a second request for the code. Or is it actually a single request disguised as two? (I.e. the ultimate request flow checks both the email address and code?)
Thanks for any guidance. I’ll likely have more questions once I get a bit more clarity on these.