Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does forwarding magic link work? #4

Open
hgezim opened this issue Aug 14, 2018 · 2 comments
Open

Does forwarding magic link work? #4

hgezim opened this issue Aug 14, 2018 · 2 comments

Comments

@hgezim
Copy link

hgezim commented Aug 14, 2018

I don't see any use in allow users to forward their magic links and exposing this larger security hole.

It would be nice if the library stored a cookie on the client when they request a magic link and when logging it, it can check to ensure the cookie is there, if not, the login attempt fails.
@matthiask
Copy link
Owner

I'm not completely sure what you're asking. Maybe you're referring to this?

When hitting the login view, the link passed with the next query parameter is saved in a cookie. The redirect only happens if the target is a safe URL:

django-authlib/authlib/views.py

Line 25 in 762d861

return next if is_safe_url(url=next, **kw) else None

There might be a security hole somewhere (I'm no security expert) but I don't see the problem right away. Care to enlighten me?

@matthiask
Copy link
Owner

Ah, I see what you're referring to. Sorry for being dense at first.

Yes, that would be a good addition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matthiask @hgezim