Feature: Remove the email from the passwordless magic link.
Description: The magic link generated for passwordless currently includes the user’s email in the URL, we have no control over it, the authentication API POST /passwordless/start does that automatically. As part of the GDPR policy of our company we shouldn’t log any PII (Personally Identifiable Information) or send it to any 3rd party providers. Even though we could add some logic to strip any query parameters from the logs, something we have already in place, those emails could end up in any other 3rd party systems we integrate with i.e analytics, monitoring… that capture URLs. We don’t have control over them so it would be safer if the email was not sent or at least if it needs to be included, to be hashed.