-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add magic link force login config #1135
base: develop
Are you sure you want to change the base?
Conversation
// Check if already logged in. | ||
if ($userId !== null) { | ||
// Check if already logged in and magic link force login config. | ||
if ($userId !== null && config('Auth')->allowMagicLinkForceLogin === false) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to invalidate the following security check.
So I think this is a security hole.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we delete the old session and then continue its state safely?
@@ -23,6 +23,15 @@ in the **app/Config/Auth.php** file. | |||
public int $magicLinkLifetime = HOUR; | |||
``` | |||
|
|||
### Magic Link Force Login | |||
|
|||
By default, Magic Link will throw Logic exception if current user session is exist. If you want replace existing user session with new user session change it to `true` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LogicException means, "your code has a bug, so please fix it".
So I never accept a flag to disable LogicException.
This PR seems to be wrong implementation.
First of all, why a logged in user uses magic link login?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I submit a magicLink request using the incognito browser, then the magicLink sends an email to my my gmail in main browser. when opened it will cause a LogicException because in my main browser I am already logged in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But this scenario rarely happens in real cases. this case often occurs when development involves switching accounts with specific roles.
This could happen rarely. |
Shield does not have a feature to switch accounts. |
I agree instead of displaying exception/whoops page. |
Description
This feature provides config for developers so that the behavior when checking user sessions in the
startLogin
function can be easily controlled. So the user does not need to log out to assign a new user session.We also set the default value in that configuration to
false
to preserve the previous behaviorChecklist: