Passwordless logins

Mailbox challenges also work well for passwordless login flows.

Generate and email the challenge

1
import { Passlock, isChallengeRateLimitedError } from "@passlock/server";
2

3
const passlock = new Passlock({ ... });
4

5
// cpatured in a login form
6
const email = "...";
7

8
const user = await findUserByEmail(email);
9
if (!user) {
10
  throw new Error("Account not found");
11
}
12

13
const result = await passlock.createMailboxChallenge({
14
  email,
15
  userId: user.id,
16
  purpose: "login",
17
  // any pending "login" challenges for this userId will be nuked
18
  invalidateOthers: true,
19
});
20

21
if (result.success) {
22
  const { challengeId, secret, message } = result.value.challenge;
23

24
  // save this in the user's session or a secure HTTP only cookie
25
  await savePendingChallenge({
26
    purpose: "login"
27
    challengeId,
28
    secret,
29
  });
30

31
  await emailCodeToUser({ email, message });
32
} else if (isChallengeRateLimitedError(result.error)) {
33
  return showRateLimit(result.error.retryAfterSeconds);
34
} else {
35
  throw new Error(result.error.message);
36
}

Verify the code and create a session

1
import { Passlock } from "@passlock/server";
2

3
const passlock = new Passlock({... });
4

5
// fetch from the user's session or secure cookie
6
const pendingChallenge = await loadPendingChallenge({ purpose: "login" });
7

8
const result = await passlock.verifyMailboxChallenge({
9
  challengeId: pendingChallenge.challengeId,
10
  secret: pendingChallenge.secret,
11
  code: form.code, // the user submitted this
12
});
13

14
if (result.success) {
15
  const { challenge } = result.value;
16
  await createLoginSession(challenge.userId);
17
} else {
18
  return throw new Error(result.error.message);
19
}