Validation email with fully formed link to POST the code & email address?

[dan-burt]

The default email template includes some text to the user, with a URL link to nopass.me.

I am authenticating users on a PHP-based web app / site. My current flow is using a 2nd form which the user manually enters the code received. Once submitted, a 3rd page completes the validation stage of authentication.

Could this be formatted as a simple link to click, that would include the required parameters (email & code)? Ideally as POST.

[frsechet]

You can already do that as you can control the content of the email that is sent to the user. You can for example in this email provide a link that's formatted as you want, for example with your parameters as query params.

However since it's a link for the user to click on, it will never be a POST request, always a GET request.

[dan-burt]

Thanks for the prompt response. It wasn't an issue, more a question / suggestion.

Also thanks for confirming it will be a GET request. Does this invalidate the authentication process, in your opinion? As the parameters will be visible in the headers, rather than embedded in the data packet.

[frsechet]

If it's over http, neither the body nor the query params are secure (you can't have a body in GET requests). If it's over https, both are secure. It doesn't matter how you decide to do it. Query params are fine 😊

[frsechet]

FYI, link to the docs: https://www.nopass.me/docs