Summary
The passwordless magic link token is returned in the API response body. Anyone who intercepts the response can authenticate as that user without a password.
Affected File
services/auth-service/index.js:1618
Root Cause
// The passwordless token (allows password-free login) is returned in JSON response
res.json({
token: passwordlessToken, // Anyone with this token can log in as this user
expiresIn: 300
});The magic link token should be sent via email/SMS only, never returned in the API response. Returning it in the response means:
- Anyone who can read network traffic (proxy, logging middleware, browser dev tools) gets a permanent access token
- The token bypasses password authentication entirely
Impact
- Anyone who intercepts the API response can authenticate as any user
- The "passwordless" feature is reduced to "no password needed if you can read the response"
- Makes a mockery of the authentication system
Fix Required
Remove the token from the API response. Instead:
- Send the token via email only (the actual magic link)
- Return only
{ success: true, message: "Check your email for the login link" }
- Never expose the token in any API response
Summary
The passwordless magic link token is returned in the API response body. Anyone who intercepts the response can authenticate as that user without a password.
Affected File
services/auth-service/index.js:1618Root Cause
The magic link token should be sent via email/SMS only, never returned in the API response. Returning it in the response means:
Impact
Fix Required
Remove the
tokenfrom the API response. Instead:{ success: true, message: "Check your email for the login link" }