feat: add magic link force login config #1135
Conversation
| // Check if already logged in. | ||
| if ($userId !== null) { | ||
| // Check if already logged in and magic link force login config. | ||
| if ($userId !== null && config('Auth')->allowMagicLinkForceLogin === false) { |
There was a problem hiding this comment.
This seems to invalidate the following security check.
So I think this is a security hole.
There was a problem hiding this comment.
should we delete the old session and then continue its state safely?
| @@ -23,6 +23,15 @@ in the **app/Config/Auth.php** file. | |||
| public int $magicLinkLifetime = HOUR; | |||
| ``` | |||
|
|
|||
| ### Magic Link Force Login | |||
|
|
|||
| By default, Magic Link will throw Logic exception if current user session is exist. If you want replace existing user session with new user session change it to `true` | |||
There was a problem hiding this comment.
LogicException means, "your code has a bug, so please fix it".
So I never accept a flag to disable LogicException.
This PR seems to be wrong implementation.
First of all, why a logged in user uses magic link login?
There was a problem hiding this comment.
I submit a magicLink request using the incognito browser, then the magicLink sends an email to my my gmail in main browser. when opened it will cause a LogicException because in my main browser I am already logged in.
There was a problem hiding this comment.
But this scenario rarely happens in real cases. this case often occurs when development involves switching accounts with specific roles.
This could happen rarely. |
Shield does not have a feature to switch accounts. |
I agree instead of displaying exception/whoops page. |
Description
This feature provides config for developers so that the behavior when checking user sessions in the
startLoginfunction can be easily controlled. So the user does not need to log out to assign a new user session.We also set the default value in that configuration to
falseto preserve the previous behaviorChecklist: