Skip to content

Admin-link email with admin code #33

Description

@malpou

Artifacts in openspec/changes/admin-link-email/.

What

  • Optional email field on /create; empty field = exactly today's behavior, invalid address rejected.
  • With an email: one transactional email (Cloudflare Email Service send_email binding, best-effort, address never stored) in the poll's language carrying the organizer link and an 8-char admin code.
  • The code gates organizer pages once per browser (HttpOnly cookie remembers it; creator's browser unlocked at creation). New nullable events.admin_code column — NULL = ungated, existing polls untouched.

Why

The organizer URL is the only admin credential. Its token (~131 bits) is not brute-forceable, but URLs leak — history, logs, screen shares, forwarded screenshots. The code is a second secret so a leaked URL alone no longer grants admin access. Trade-off (accepted): link and code travel in the same email, so this defends against URL leakage, not a compromised inbox.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions