Security issue with email link authentication: Should not pass the user’s email in the redirect URL parameters

[martinblostein]

From here:
https://firebase.google.com/docs/auth/web/email-link-auth#security_concerns

To prevent a sign-in link from being used to sign in as an unintended user or on an unintended device, Firebase Auth requires the user's email address to be provided when completing the sign-in flow. For sign-in to succeed, this email address must match the address to which the sign-in link was originally sent.

You can streamline this flow for users who open the sign-in link on the same device they request the link, by storing their email address locally - for instance using localStorage or cookies - when you send the sign-in email. Then, use this address to complete the flow. Do not pass the user’s email in the redirect URL parameters and re-use it as this may enable session injections.

This library does exactly this in the sendOobCode method. You can verify the issue by initiating sign in on one device and then completing it on another. This should not work--the user should be required to re-enter their email address in that case.

[samuelgozi]

The problem is that when visiting the mail from a different device (which is very common) the cookie will not be present and the mail will need to be provided by the user itself again.

it feels awkward to ask for the mail right after asking it a second ago but I understand the importance of this.

I’ll try to find some time to fix this.