magic-js icon indicating copy to clipboard operation
magic-js copied to clipboard
verified publisher icon magiclabs

OAuth loginWithCredential when already logged in

Open mightymatth opened this issue 3 years ago • 0 comments

✅ Prerequisites

  • [x] Did you perform a cursory search of open issues? Is this bug already reported elsewhere?
  • [x] Are you running the latest SDK version?
  • [x] Are you reporting to the correct repository (magic-sdk)?

🐛 Description

After login with OAuth and getting a redirect URL to our website, it fails to log in if the user is already logged in.

🧩 Steps to Reproduce

  1. Click to log in with OAuth (e.g. Google)
  2. When it opens a Google window, enter your credentials.
  3. After a successful redirect to your website, log in with credentials:
magic.auth.loginWithCredential(window.location.search)

🤔 Expected behavior

We should get a successful response from the loginWithCredential() method.

😮 Actual behavior

In console, we get HTTP 500 error on route https://api.magic.link/v2/auth/user/redirect/login with the payload:

data: {}
error_code: "AUTH_USER_MISSING_EMAIL_FOR_REDIRECT_LOGIN"
message: "Auth user is missing an email address for redirect login."
status: "failed"

This happens with any method called on the provider. I figured out that, before I even try to call magic.oauth.loginWithCredential(), I call magic.auth.isLoggedIn(), and if it returns true, I don't need to call login again. If I call login with credential, it will throw 500 again. I don't know how I'm already logged in when I come back, but ok. On some browsers, it's not the case and I'm logged out all the time.

🌎 Environment

Software Version(s)
magic-sdk 7.0.0
Browser chrome, brave, safari
yarn no. npm 8.5.1, node v14.17.5
Operating System macOS

mightymatth avatar Feb 28 '22 10:02 mightymatth

Hello @mightymatth, after successful auth, subsequent loginWithCredential calls do not need to be made. That's only needed after initial login and in the redirect context, or if the end user has logged out or invalidated sessions. You are correct in using isLoggedIn to check whether a user has a valid session.

ayv8er avatar Aug 17 '22 15:08 ayv8er

I'm completely sure that your Auth system is broken in this particular case and you didn't even try to reproduce it, but you easily closed the issue after 6 months just to get rid of it. gz for you! that's how it's done to have better performance at your job, not to make a product better.

mightymatth avatar Aug 17 '22 15:08 mightymatth

I am sorry you feel this way, that wasn't our intent. What you explained doesn't need to be reproduced because it's expected.

The only use case of loginWithCredential is if you're employing an email login method while passing in a redirectURI argument. And even in this case, you should only call this method in the redirect context, not when a user returns and you'd like to check if their session is still valid.

As for Google social logins, you would not use loginWithCredential. The original context via loginWithRedirect would redirect your user to the callback where you would call getRedirectResult. In this scenario again, if the user returns, you would not check their session validity via loginWithCredential. https://magic.link/docs/auth/login-methods/social-logins/integration/oauth-implementation/web

Please let me know if you need more clarity, or if you believe I am misunderstanding your issue.

ayv8er avatar Aug 17 '22 16:08 ayv8er