Feature Request: Add OTP for Email in Auth about nhost HOT 7 OPEN

Thanks for the detailed feature request, we will look into it when planning future work.

from nhost.

Curious if you guys plan on implementing this? Honestly, in our project, we are just going to have to reluctantly use Clerk for Auth, instead of the built in Nhost Auth because there is no way we want to tether our application to a bunch of links and redirects. There are so many problems with links nowadays (this is why you even wrote this: https://nhost.io/blog/protect-magic-links-from-email-clients), it's just a an antiquated solution and I really don't see any Auth library using them anymore as a first choice. Everyone sends a 6 digit code by email, to verify email and then another code for changing password. We are tempted to just follow this example from Lucia Auth (https://lucia-auth.com/guides/email-and-password/email-verification-codes) and hook it into Nhost Auth, but honestly we don't know enough about the inner workings of your code to feel confident this can work, so seems like a waste effort. But, I'm sure someone who is more familiar with your codebase can easily implement the type of solution Lucia recommends. All the code is on that page, it's just a matter of putting the functions into your Auth package. Thanks for listening.

from nhost.

Curious if you guys plan on implementing this?

Yes, this is something we will certainly want to add.

there is no way we want to tether our application to a bunch of links and redirects

Remember you can already use codes (even though longer). I know you prefer 6-digits codes but as a temporary solution it might be easier than using clerk as migrating from clerk might be difficult.

In any case, if what you want is security and convenience nothing beats weabuthn/keypass so you might want to look into that instead.

from nhost.

"Remember you can already use codes (even though longer)". what do you mean by this? Thanks.

from nhost.

This:

#2642 (comment)

So basically what you are describing can already be implemented by tweaking the email template. The difference between your proposal and what we are providing already is that you want a 6 digits code (or similar) and what we offer is a more difficult to guess uuid.

from nhost.

Oh yeah, OK. Would never send UUID as a code to type in, impossible for most people to type in correctly. Better off with link then, which is probably why links were used in the first place with this auth flow, because asking someone to type in a UUID would be a total disaster. Can't imagine how many calls we would get, for basic typos.

from nhost.

Yes, the expectation in this case would be to copy & paste.

from nhost.