Require credentials before accessing billing info from a Session Link

Rain

While logging in to Kagi with session link URLs is very useful, it's a bit creepy that I can get to my Stripe credit card info with just knowledge of the Session Link URL. Any chance to add an (opt-in?) settings checkbox for requiring the full username + password authentication before being able to access the user's billing page? Or more generalized, have a session link access scopes for "just be able to use Kagi, without seeing any identifiable user info", ideally. The risk of a session key leak via browser history etc. revealing user info seems a bit disconcerting, be it via user mistake or some third party system not assuming URL history is sensitive. Thanks.

Vlad

Rain That is a reasonable request. Note that you can invalidate your session link at any time.

pyji

This would be a great feature. I'd like to be able to use a Session Link to allow Kagi on a slightly untrusted device, like a work machine. I don't need Kagi administrative access on my work machine, just search.

Vlad

@z64 does the upcoming 2FA feature include this change (2fa prompt on billing)

z64

Vlad It does not currently. Strictly speaking this is a seperate feature, those without 2FA should be gated by account password as well, and 2FA may be able to substitute in some circumstances if they have it enabled. We can definitely try to ship it together.

Vlad

This was implemented.