cesargb / laravel-magiclink Goto Github PK

Hello, thank you for sharing this package. I have a question about extending the behavior of the middleware. Let me explain our use case:

1. We use magic links to provide users with a link to create their profile
2. After their profile is created, if they use the magic link again, it should take them to the dashboard

Our problem is that after the profile is created, when a user clicks the magic link again, they are redirected to the profile screen. This is a problem because it opens a security loop where someone can reset the password.

We have tried creating our own middleware to handle the check and redirect to the dashboard. However, in all cases, the user is redirected to the profile screen (this is the original redirect route when the magic link is created).

Is it possible to extend the middleware provided by the package? If not, would it be better to use events for this use case? If so, how are events used in this package?

Lastly, if there is a better solution, what would you recommend?

Thank you :)

I need to set a link that contains message to user that says your link is not valid because...
The link should be set in config file
Thanks

Feature request for changing the APP_URL while it's being generated with Laravel's built in url() helper at here MagicLink.php#L76C7-L76C7

I'll probably make a PR for it

Do you have any idea how to use this package for an Android app and provide a login token for it?

Hi,

I'm using this script in my poll. Generating poll address for customers auto login and text message to mobile. Everything ok when i create new one. But when the expire the link, i need to update sometimes the link lifetime.. I research the database and i found in magic_links table, available_at column. I tried update this column data but still cannot open the poll. Bcos, the link is dead. What should i do?

edit: i checked again for available_at column change:
first; i created new link for poll. Expire date 40 days later and i changed date today and i gave 1 hour for expire and work again. when i change it expired time, its forwarded to expired page and i changed 1 hour later again but its not working. I mean, if any link expired and visited expired link, then its not working anymore..

Hello @cesargb :)

I'm sending login links to users that are only valid for one visit. This is to prevent users from sharing their login link with others.
I've found that Outlook users are having issues with this. When they click the link in Outlook the url is "scanned" by Outlook and that "scan" is basicly doing the first visit. So when the browser opens the link, it is no longer valid.

I see in the logs that Outlook performs an HEAD request to the URL. Then the browser performs the GET request.

192.168.0.6 - [10/Apr/2023:14:55:44 +0200] "HEAD /host/login/82875115-1b3f-4303-8f55-4241a4248c53:GjZTBY5kxv HTTP/1.1" 302 -
192.168.0.6 - [10/Apr/2023:14:55:45 +0200] "GET  /host/login/82875115-1b3f-4303-8f55-4241a4248c53:GjZTBY5kxv HTTP/1.1" 301 502

I didnt find anyway to stop HEAD requests in the route, but in the middleware it can be added. I've tested adding this to MagiclinkMiddleware. Works fine.

if ($request->method() != "GET") {
    die();
}

Do you think this is something that makes sense to add to this package?

Since Laravel 8 the Trait Prunable exist (Doc), it would be nice to have it in upcoming releases.

Tem um erro no arquivo MagicLink, na linha 35 para ser mais específico. Tem que retirar o espaço/tab da função config pois ao mudar o path da url no arquivo de config ele não reconhece devido a esse espaço.

After a link has been created and sent to the user, how do i make it invalid so that the user cannot use that link, may be because his access to the site was revoked?

Hi

Would be cool to be able to create a download link that require the visitor to enter access code before the download start

Database migration creates a column for the token with a maximum length of 100 symbols. But you can change that token length value in configuration to a value bigger than 100 and get the Data too long for column 'token' at row 1 SQL error.

Great package you have made! Thanks.

Is it possible in any way to set "remember me" for the login action?
I want the login session to last longer than the global SESSION_LIFETIME that is defined in .env.

I'm sorry for the confusion, but I couldn't get to this page to customize it.

The latest change to the library broke my code:

I have extended your model class and done some modifications, such as overriding \Illuminate\Database\Eloquent\Model::getConnectionName to my custom one. The self keyword, do break the code, since it refers to the same class in which the new keyword is actually written. In that case, my getConnectionName is ignored and is not called.

The solution would be to use static since it uses late static binding, which refers to the class you called the method on.
It should not break your code, but enable it for further modification/extension.

Is there any reason to do that? Why would you restrict modification of your code?

In this case, other methods will also be affected, for example:

I want to change the file name when downloading the file. What can I do about this?

as in your example i'm trying to redirect with the following line
$action->response(redirect(route('drop.private', ['drop' => $drop])));

if i use:

$action->redirect(route('drop.private', ['drop' => $drop]));

it works but only writes out the url not a location header.

Laravel 9
PHP 8.1
magiclink ^2.12

I think it would be better to set the "path" in cookie to the current path of the request instead of setting it only to "/"

cookie(
    'magic-link-access-code',
    encrypt($request->get('access-code')),
    0,
    $request->getPathInfo()
)

otherwise all MagicLinks with the same access code will be visible if this was entered already on another link.

Hi

The config options invalid_response is working quite okay, but..

How do I figure out the reason for why the link is invalid?

is is because the token is invalid, after the life time or number of visits that is the reason ?

I need the migration to be published since I'm using multi tenancy

We've been seeing this error more frequently which seems to happen when a user tries to use a magic link with an invalid token. We send magic links in an onboarding email to allow users access to complete their profile, and we think users are going back to this email and using the link to try and login again.

I've tracked this back to the getMagicLinkByToken method on the MagicLink class:

In our case, this is returning null for whatever reason, and then when the MagicLinkController tries to call run(), its calling it on null and throwing the exception.

Do you have any ideas on how we can work around this? Ideally, if someone visits a link where the token is invalid, we could show them a page with more information and maybe a form to resend a magic link (we would implement this ourselves if possible)?

Thank you for taking time to share this package - it has been very helpful in getting our onboarding flow figured out. Any and all feedback is appreciated, and thank you again 🙏

We've occasionally been hitting this error, and from the looks of the stack trace, it seems like a huge amount of information is being stored in the action column. It would appear the entire User model is being stuffed in there.

We're using the library in a wrapper function, where the $route could be a named route or a URL:

if (Route::has($route)) {
 $redirect = redirect(route($route));
} else $redirect = redirect($route);

return MagicLink::create(new LoginAction($user, $redirect), $lifetime,$maxVisits)

I want to get the file from ftp disk and give it to DownloadFileAction(). What can I do to do this?

on line 182 , it should add a '$' before 'lifetime'

After publishing the config file magiclink laravel throws an exception Illuminate \ Contracts \ Container \ BindingResolutionException Target class [view] does not exist..

I were able to resolve it by changing the response error to a string instead of a response function or view in config/magiclink.php:51

I used a fresh installation of laravel 7.6.2 using PHP version 7.4.5 on Ubuntu 18.04 LTS

so I'm using multiple authentication guards and when i try to get the id of a user like this

'patient_id' => Auth::guard('users')->user()->id,
I get an error in phpstorm that says this

but functionally everything works

We have a Managed MySQL Server with DigitalOcean. In it's default config it comes with system variable 'sql_require_primary_key` set.
This prevents us running migrations with the following error

Migrating: 2017_07_06_000000_create_table_magic_links

   Illuminate\Database\QueryException 

  SQLSTATE[HY000]: General error: 3750 Unable to create or change a table without a primary key, when the system variable 'sql_require_primary_key' is set. Add a primary key to the table or unset this variable to avoid this message. Note that tables without a primary key can cause performance problems in row-based replication, so please consult your DBA before changing this setting. (SQL: create table `magic_links` (`id` char(36) not null, `token` varchar(255) not null, `action` text not null, `num_visits` tinyint unsigned not null default '0', `max_visits` tinyint unsigned null, `available_at` timestamp null, `created_at` timestamp null, `updated_at` timestamp null) default character set utf8mb4 collate 'utf8mb4_unicode_ci')

My only fix was this inelegant solution - changing the migration file

 public function up()
    {
        Schema::create(config('magiclink.magiclink_table', 'magic_links'), function (Blueprint $table) {
            $table->bigIncrements( 'iid' );
            $table->uuid('id');
            $table->string('token', 255);
            $table->text('action');
            $table->unsignedTinyInteger('num_visits')->default(0);
            $table->unsignedTinyInteger('max_visits')->nullable();
            $table->timestamp('available_at')->nullable();
            $table->timestamps();

        });
    }

Other migrations run as expected - just this one.

Any suggestions?

Running into an issue with the serialized string being store in Postgres. The text datatype seems to not like the escaping in the serialized string. The following seems to be the same issue.

Crinsane/LaravelShoppingcart#362