(no title)

Right away, a partial mitigation for current versions of Portier is to modify the `email_*.mustache` templates to remove the link. But a second piece of information Portier leaks is simply which sites you're logging into. That's right in the subject for Portier, and not something you can customize for current versions.

I think it's worthy to try and harden against this type of attack, but I'm worried the effect is limited. There's often nothing stopping someone from simply starting the login process / creating a new session, so an attacker just has to know where, and there are a bunch of ways to find out.