Skip to content

← Projects

Latchkey

Passwordless login that survives the in-app-browser → system-browser cookie-jar handoff — a magic-link flow that keeps working when the OS hands the link off from a webview to the user's real browser.

Role
Software Engineer Intern · Coldwell Banker Indonesia
Timeline
2026
Status
Published
  • TypeScript
  • Node
  • Fastify
  • Magic-link auth
  • SHA-256 tokens
  • CI · fully tested
View on GitHub

In-app browser

  • GET /verify

    magic-link token

  • webview cookie jar

    isolated

Server · verify

  • 302 → /app?handoff

    no cookie set

  • handoff token

    10s · single-use

System browser

  • OS hands off URL

    token rides along

  • POST /auth/handoff

    browser-initiated

Server · session

  • Set-Cookie: session

    lands in real jar

  • GET /api/me → 200

    signed in

Highlights

  • /verify sets no cookie

    It mints a 10-second, single-use handoff token that rides the URL, the one thing portable across the webview → system-browser jump.

  • SHA-256 token storage, atomic single-use redemption

    Deterministic O(1) lookup with the raw token never stored; the SQL WHERE clause is the lock, so two racing redemptions can't both win.

  • A small, runnable demo

    HttpOnly · SameSite=Lax · Secure cookies, uniform 401 on any token failure, fully tested with green CI and no database needed to run.

Read more on GitHub

Related project

PulseThe production WhatsApp system this bug was found in, and extracted from.