public/librenotes
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects Releases Wiki Activity

Implement email magic link authentication system #9

New Issue
Open
opened 2026-02-25 16:05:11 +01:00 by libretech · 0 comments
libretech commented 2026-02-25 16:05:11 +01:00
Owner
Copy Link

Summary

Implement passwordless authentication via email magic links for the multi-tenant backend.

Design

  • Generate cryptographically secure one-time tokens
  • Send magic link emails via configurable SMTP provider
  • Token expiration (e.g., 15 minutes)
  • Rate limiting on magic link requests
  • Token invalidation after use

Implementation Tasks

  • Add magic link token generation and storage
  • Implement /auth/login endpoint (accepts email, sends magic link)
  • Implement /auth/verify endpoint (validates token, issues JWT)
  • Configure SMTP email sending
  • Add rate limiting per email address
  • Add token expiration and cleanup

Security Considerations

  • Tokens must be cryptographically random (min 32 bytes)
  • Links must be single-use
  • Rate limit to prevent email bombing
  • HTTPS-only for magic link URLs
  • Constant-time token comparison

Acceptance Criteria

  • User can request a magic link by email
  • Clicking the link authenticates the user and returns a JWT
  • Expired/used tokens are rejected
  • Rate limiting prevents abuse
  • Works with common email providers
## Summary Implement passwordless authentication via email magic links for the multi-tenant backend. ## Design - Generate cryptographically secure one-time tokens - Send magic link emails via configurable SMTP provider - Token expiration (e.g., 15 minutes) - Rate limiting on magic link requests - Token invalidation after use ## Implementation Tasks - [ ] Add magic link token generation and storage - [ ] Implement /auth/login endpoint (accepts email, sends magic link) - [ ] Implement /auth/verify endpoint (validates token, issues JWT) - [ ] Configure SMTP email sending - [ ] Add rate limiting per email address - [ ] Add token expiration and cleanup ## Security Considerations - Tokens must be cryptographically random (min 32 bytes) - Links must be single-use - Rate limit to prevent email bombing - HTTPS-only for magic link URLs - Constant-time token comparison ## Acceptance Criteria - [ ] User can request a magic link by email - [ ] Clicking the link authenticates the user and returns a JWT - [ ] Expired/used tokens are rejected - [ ] Rate limiting prevents abuse - [ ] Works with common email providers
libretech added the
phase-1
 label 2026-02-25 16:05:11 +01:00
libretech added the
task
 label 2026-02-28 20:25:52 +01:00
libretech changed title from Implement authentication system to Implement email magic link authentication system 2026-02-28 20:25:53 +01:00
libretech added the
backend
security
 labels 2026-02-28 22:00:42 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
backend
Backend changes
database
Database changes
documentation
Documentation improvements
epic
frontend
Frontend changes
infrastructure
Infrastructure and deployment
launch
Launch and release tasks
phase-0
phase-1
phase-2
phase-3
phase-4
phase-5
phase-6
security
Security-related
task
Actionable task
No Label
backend
phase-1
security
task
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
libretech
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: public/librenotes#9
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?