Fixed API endpoint: /login/api-token - cannot log user in if already logged in

Affected version
2.2.3

Rezpkt

Member
If a user is logged in and they use the login link returned from /api/auth/login-token to log into a different account, they are still logged in as the old user.

I do not know if this has been overlooked or if it is by design, but I can't think of a reason to stop a user doing this.

In src/XF/Pub/Controller/Login.php actionApiToken() it is checking to see if the user is not logged in before doing the login.

PHP:
if (!\XF::visitor()->user_id)
{
     /** @var \XF\ControllerPlugin\Login $loginPlugin */
     $loginPlugin = $this->plugin('XF:Login');
     $loginPlugin->completeLogin($token->User, $remember);
}

I am suggesting that it should be possible to use an api-token to log into a different account if you are already logged in.
This then becomes
PHP:
if (!\XF::visitor()->user_id || \XF::visitor()->user_id !== $token->user_id)
{
    /** @var \XF\ControllerPlugin\Login $loginPlugin */
    $loginPlugin = $this->plugin('XF:Login');
    $loginPlugin->completeLogin($token->User, $remember);
}

or the condition removed entirely

Thanks
 
Last edited:

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.4).

Change log:
When logging in via an API generated token, allow the existing logged in user to be replaced (if logged in as a different user) with the new user if force=1 appended to the URL.
There may be a delay before changes are rolled out to the XenForo Community.
 

Chris D

XenForo developer
Staff member
This was mostly as designed but to add an additional layer of flexibility, from 2.2.4 onwards it is possible to append force=1 to the URL in order to force a replacement of the current logged in user.
 
Top