Which would come from the person that’s trying to login, right?
I don’t think I understand the problem. Person A tries to log in; B receives a magic link, does not click it but forward it to A; A clicks it and gets logged in.
I’ve done this myself successfully, even with services pinning the link to A’s client IP (which is a bad idea anyway in an age of privacy proxies, CG-NATs, dynamic IPs etc.)
I don’t think I understand the problem. Person A tries to log in; B receives a magic link, does not click it but forward it to A; A clicks it and gets logged in.
I’ve done this myself successfully, even with services pinning the link to A’s client IP (which is a bad idea anyway in an age of privacy proxies, CG-NATs, dynamic IPs etc.)