Passwordless login is rapidly becoming a new standard, but the Netlify implementation currently requires an Enterprise plan to support even accepting 3rd party JWT tokens. The Enterprise plan level far outstrips the needs of our app in every other way at the moment, so we can’t justify the upgrade to get access to this feature.
We might have considered the upgrade regardless if the Identity product offered a native passwordless login experience, but it doesn’t seem to be supported currently: https://github.com/netlify/netlify-identity-widget/issues/337. However, even if general magic link login were supported, there may be security-enhancing features offered by specialized vendors (such as device binding via webauthn) that I don’t expect to see supported anytime soon.
In practice, this means that all my functions require a custom middleware to decode the JWTs, which both adds to the complexity of the codebase and potentially creates security vulnerabilities, as decoding the tokens in “userspace” can be error-prone. This is especially an issue in a lambda function context, because the more battle-tested middlewares like passport aren’t readily usable there without spinning up a full express app, or using cumbersome adapters.
My feature request therefore is this: please allow netlify-provided JWT decoding and clientContext population at the Pro level. This will substantially increase DX and security for lambda function devs.