I have built an email OTP login process using 2 backend API workflows. The first workflow currently is this: Step 1 - Make changes to User. (Calculate a 6 digit RandomString and saves it on on a field on the User that is protected from anyone accessing it via privacy rules) Step 2 - Send email to the user with the 6 digit code generated by step 1. Step 3 - Assign a temp password to the user Step 4 - Log the user in (with the password from step 3) Step 5 - Update the users credentials (change users password to 6 digit code) Step 6 - Make Changes to user ( delete the 6 digit code that was saved as text on the user in step 1) Step 7 - Log the user out Step 8 - Schedule second API work flow with a 3 min delay
The second API resets the 6 digit password of the user to a long complex random string
The code that is being emailed to the user is not being sent to the users browser (as far as I can tell so far), but all of the fields that would be available to a logged in user is being sent to the browser before the person is logged in. Created Date, Name, profile pic link, slug, user ID etc. I would prefer that nothing is returned from the workflow. I don’t want a potential hacker to know whether or not the email is even in the system or not, let alone all of this data. What happens server side is secure, but not when the server is returning all of the JSON data it gathered during this process to the client…
Yeah, to do what it is required to do, privacy rules have to be ignored on the workflow. I’m thinking I may have to make a new data type that shows only the email and blocks everything else. Run the workflow on that datatype so the only thing that is returned is the email address.
I had created this for another user a few months ago. I used QR codes but underlying is some temporary codes of course. If you are interestes, check it out:
…hopefully someone else chimes in.