I’m guessing this applies to all implementations of sign-in links, but since I’m using Firebase I’d like to understand their concerns: https://firebase.google.com/docs/auth/web/email-link-auth#security_concerns
Do not pass the user’s email in the redirect URL parameters and re-use it as this may enable session injections.
What exactly are the concerns here?
Knowing that Firebase sign-in links:
- Expire after 6 hours
- Can only be used once