Magic link with OTP fallback?
Hey, I'd like to implement a passwordless flow where the user would receive an email with:
a) a link that would log them in, and
b) if they e.g. want to log in on a different device, they can enter the OTP that would also be in the email on the page they see after entering the email.
I can handle either of these easily with existing plugins (Magic Link and Email OTP), but how should I approach a hybrid solution? I thought about simply changing the
generateToken implementation (e.g. to something that generates a 8-chars long alphanumeric string) in Magic Link's setting and then calling .verify on the frontend page where user can enter the code. But I'm not sure if that's safe considering OTPs .verify requires users email; I don't know why the approach is different there. Does that sound like a legit solution? I'd rather avoid building a custom endpoint.
Also a bit of a side question, but how do you generally call redirecting endpoints from an SPA (.verify from Magic Link will still redirect on error even if I won't pass the callbackURL - that's not ideal)? If I just call the authClient's function browser won't get redirected. I could hardcode the URL and just use location.replace(). But if there's a way to do it differently with the authClient let me know. Hono Client has a nice feature where each endpoint has a .$url method. I don't see anything like that in the authClient.0 Replies