Building A Passwordless Login Process

I have built an email OTP login process using 2 backend API workflows. The first workflow currently is this:
Step 1 - Make changes to User. (Calculate a 6 digit RandomString and saves it on on a field on the User that is protected from anyone accessing it via privacy rules)
Step 2 - Send email to the user with the 6 digit code generated by step 1.
Step 3 - Assign a temp password to the user
Step 4 - Log the user in (with the password from step 3)
Step 5 - Update the users credentials (change users password to 6 digit code)
Step 6 - Make Changes to user ( delete the 6 digit code that was saved as text on the user in step 1)
Step 7 - Log the user out
Step 8 - Schedule second API work flow with a 3 min delay

The second API resets the 6 digit password of the user to a long complex random string

The code that is being emailed to the user is not being sent to the users browser (as far as I can tell so far), but all of the fields that would be available to a logged in user is being sent to the browser before the person is logged in. Created Date, Name, profile pic link, slug, user ID etc. I would prefer that nothing is returned from the workflow. I don’t want a potential hacker to know whether or not the email is even in the system or not, let alone all of this data. What happens server side is secure, but not when the server is returning all of the JSON data it gathered during this process to the client…

Have you considered just doing the Send magic login link action? :sweat_smile:

Oh that was my initial thought! haha

Unfortunately my users will be regularly logging onto computers that they would not be able to receive email on.

1 Like

I don’t want to suggest something stupid that will require privacy rules removed… thinking :thinking: …hopefully someone else chimes in.

1 Like

Yeah, to do what it is required to do, privacy rules have to be ignored on the workflow. I’m thinking I may have to make a new data type that shows only the email and blocks everything else. Run the workflow on that datatype so the only thing that is returned is the email address.

I had created this for another user a few months ago. I used QR codes but underlying is some temporary codes of course. If you are interestes, check it out:


Damn… this is legit! Thanks for sharing… definitely have some new gears turning in my head now!!

1 Like