+ client components, route handlers, redirects, and fetch
How to test: Login and refresh the page to see iron-session in action.
Loading...
How it works
- The form is submitted to /app-router-magic-links/session (API route) via a POST call (non-fetch). The API route generates a sealed token and returns the magic link to client so it can be either sent or used right away. When the magic link is visited it sets the session data and redirects back to /app-router-magic-links (this page)
- The page gets the session data via a fetch call to /app-router-magic-links/session (API route). The API route either return the session data (logged in) or a default session (not logged in).
- The logout is a regular link navigating to /app-router-magic-links/logout which destroy the session and redirects back to /app-router-magic-links (this page).
Pros: Simple.
Cons: Dangerous if not used properly. Without any invalidations or blacklists, the magic link can be used multiple times if compromised.