seeking some advice on how to handle auth
hi, i’m trying to build basically a glorified survey web app. i want to be able to generate for example N “accounts” and be able to send a link out to people which would authenticate them and they’d be able to start filling in the survey.
think of it like google forms except the link you get is unique by being invited and it expired in like 2 weeks
is this usecase a good fit for next-auth’s magic link feature?
Solution:Jump to solution
I see, in that case, if you have all of the user's information, then for each form against a user, save the unique codes.
Something like this:
User A -> 6AVS21AC
User B -> 9AS2OS1C
User A -> 8VPWAM3...
5 Replies
the important thing is i wont be storing emails. i just want to be able to create links to invite people, so only people who have an invite link can use it, and we can identify the data by “account ID” or something
i do also want to have an admin portal for which i would need accounts
the way the links are sent to users is out of scope for my project btw
How do you assume that the users will be able to verify/authenticate themselves with that link? I believe you need to have an OTP authentication system. The flow would be something like this.
1. You create a unique link
2. You send the link to the user
3. The user opens the link
4. The user has to enter their phone number or email to receive an OTP
5. If the user enters the OTP successfully, then you can authenticate that user and allow them to perform next set of steps.
In database, I believe you'd need to save the unique link (a code) with the user's email/phone number since a email can be used against more than one unique links. You'd need to save the user's email or phone number in order to maybe contact them later or do an email campaign, etc.
thanks for your message, i understand that’s usually how this sort of thing is done but it’s a requirement that we don’t have a flow involving email verification or similar, we want people to be able to fill in the survey without signing in with one click and no extra setup. the survey is a one-time thing, and if we need to contact them afterwards we have other ways of doing that.
they get the link in a secure way through our government’s digital post system so there is 2fa there — as long as users don’t share the link with others we know the person who is filling in the survey is the person we sent it to
i assume the link has a token in it which the web app exchanges for an auth token when clicked? this is my first time doing a fullstack app (i normally do frontend only), i watched a video about magic links earlier and this was my understanding
Solution
I see, in that case, if you have all of the user's information, then for each form against a user, save the unique codes.
Something like this:
User A -> 6AVS21AC
User B -> 9AS2OS1C
User A -> 8VPWAM3
This way, when each of the form is submitted, you'd know which user has submitted their form. You can also forbid submitting a form more than once using a flag or something similar. And if you need, you can also fetch and populate needed user's data.
that makes sense — thanks a bunch! i just wanted a sanity check to make sure the idea wasn’t dumb