Loading challenge...
Magic Link Login
Capture a single-use magic link from the inbox and navigate it; replays return 410
What you will learn
- Capture an authentication credential from an out-of-band side channel (mock inbox), not the page UI
- Drive passwordless login by navigating a captured one-time URL and verifying the post-login state
- Handle single-use semantics: recognize 410 on replay and request a fresh token per run
Magic Link Login โ Email Side Channel
There is no password field. Authentication happens by opening a one-time link delivered out-of-band โ your test must capture it from the inbox and navigate to it
Request a login link for an email, read the captured link from the inbox side channel (a mock mailbox at /api/lab/inbox), then visit it. The link is single-use: replaying the same token returns 410 Gone.
Real-world parallel: passwordless / "magic link" auth where the credential never lives in the UI โ the automation lesson is reading an external channel and doing a fresh navigation on the captured URL.
Request a Magic Link
Send a login link, then peek the inbox to capture it
Testing Tips
Automation hints
- โ Fill
#magic-emailand click#magic-request, then assert#magic-statusmentions the inbox โ the UI alone never reveals the token - โ Read the link from the side channel:
GET /api/lab/inbox?to=<email>&kind=magicreturns{ token, link }; the same link surfaces in#magic-linkafter#magic-peek - โ Do a fresh navigation on the captured URL โ the component reads
?token=on mount and reveals#magic-successon200 - โ Single-use: replaying a consumed token returns
410and shows#magic-errorโ capture a new token per run, never reuse one - โ Invalid or expired tokens return
401โ also#magic-error; assert on#magic-success[data-state=success]for a genuine pass
