django-authlib icon indicating copy to clipboard operation
django-authlib copied to clipboard

Published 20 hours ago verified publisher icon matthiask

Does forwarding magic link work?

Open hgezim opened this issue 7 years ago • 2 comments

I don't see any use in allow users to forward their magic links and exposing this larger security hole.

It would be nice if the library stored a cookie on the client when they request a magic link and when logging it, it can check to ensure the cookie is there, if not, the login attempt fails.

hgezim avatar Aug 14 '18 19:08 hgezim

I'm not completely sure what you're asking. Maybe you're referring to this?

When hitting the login view, the link passed with the next query parameter is saved in a cookie. The redirect only happens if the target is a safe URL: https://github.com/matthiask/django-authlib/blob/762d8612f5149076218bfd9a7eaa23c3658864af/authlib/views.py#L25

There might be a security hole somewhere (I'm no security expert) but I don't see the problem right away. Care to enlighten me?

matthiask avatar Aug 14 '18 20:08 matthiask

Ah, I see what you're referring to. Sorry for being dense at first.

Yes, that would be a good addition.

matthiask avatar Aug 14 '18 20:08 matthiask