How to Implement a Magic Link Authentication using Node.js and JSON Web Token (JWT)
Common passwordless authentication method - Edition #17
Hey, I'm Marco and welcome to my newsletter!
As a software engineer, I created this newsletter to share my first-hand knowledge of the development world. Each topic we will explore will provide valuable insights, with the goal of inspiring and helping all of you on your journey.
in this episode I will explain how the magic link authentication mechanism works by showing you an example of the implementation.
You can download all the code shown directly from my Github repository: https://github.com/marcomoauro/magic-link-auth
👋 Introduction
Passwordless login is a modern authentication method that allows users to access their accounts without entering a traditional password.
Instead of relying on passwords, users receive a secure authentication link or code via email, SMS, or other communication channels. This approach enhances security by reducing the risks associated with password-based authentication, such as password theft or phishing attacks.
This approach provides a seamless and user-friendly authentication experience while maintaining a high level of security
Substack login
Substack also uses this approach for its users' logins.
If the login is successful, a session token is generated. It is configured as a Set-Cookie, so each time the client contacts the server, the token is automatically sent, ensuring correct identification. This approach is stateful, meaning that a state is managed on the database side.
How do I know this information?
I made a system that allows email sequences to be sent in Substack, to make it I used the internals calls that the client makes to the backend, to make them work I reverse engineered the platform to understand how the communication happens. I documented everything in this episode:
JSON Web Tokens simplify this mechanism. Firstly, the protocol is stateless, which means the token contains all necessary information for verification such as issuer, expiration, and authenticity. It also allows for a payload (claim) to store useful information like user ID or email. This payload mustn't contain sensitive information since the claim is often sent with only Base64 encoding; for sensitive data, encryption is recommended.
Are you curious about how JSON Web Tokens work and the encryption methods that can be used? Sign up, I'll share a post with you in the upcoming weeks!
❓ How it works
We can use this sequence diagram to explain how magic link authentication works:
User starts the registration process by entering their email address
Keep reading with a 7-day free trial
Subscribe to Implementing to keep reading this post and get 7 days of free access to the full post archives.