Fixed API endpoint: /login/api-token - cannot log user in if already logged in

Rezpkt

Member
Affected version
2.2.3
If a user is logged in and they use the login link returned from /api/auth/login-token to log into a different account, they are still logged in as the old user.

I do not know if this has been overlooked or if it is by design, but I can't think of a reason to stop a user doing this.

In src/XF/Pub/Controller/Login.php actionApiToken() it is checking to see if the user is not logged in before doing the login.

PHP:
if (!\XF::visitor()->user_id)
{
     /** @var \XF\ControllerPlugin\Login $loginPlugin */
     $loginPlugin = $this->plugin('XF:Login');
     $loginPlugin->completeLogin($token->User, $remember);
}

I am suggesting that it should be possible to use an api-token to log into a different account if you are already logged in.
This then becomes
PHP:
if (!\XF::visitor()->user_id || \XF::visitor()->user_id !== $token->user_id)
{
    /** @var \XF\ControllerPlugin\Login $loginPlugin */
    $loginPlugin = $this->plugin('XF:Login');
    $loginPlugin->completeLogin($token->User, $remember);
}

or the condition removed entirely

Thanks
 
Last edited:
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.4).

Change log:
When logging in via an API generated token, allow the existing logged in user to be replaced (if logged in as a different user) with the new user if force=1 appended to the URL.
There may be a delay before changes are rolled out to the XenForo Community.
 
This was mostly as designed but to add an additional layer of flexibility, from 2.2.4 onwards it is possible to append force=1 to the URL in order to force a replacement of the current logged in user.
 
Back
Top Bottom