Fixed API endpoint: /login/api-token - cannot log user in if already logged in

[Rezpkt]

Affected version

2.2.3

If a user is logged in and they use the login link returned from /api/auth/login-token to log into a different account, they are still logged in as the old user.

I do not know if this has been overlooked or if it is by design, but I can't think of a reason to stop a user doing this.

In src/XF/Pub/Controller/Login.php actionApiToken() it is checking to see if the user is not logged in before doing the login.

if (!\XF::visitor()->user_id)
{
     /** @var \XF\ControllerPlugin\Login $loginPlugin */
     $loginPlugin = $this->plugin('XF:Login');
     $loginPlugin->completeLogin($token->User, $remember);
}

I am suggesting that it should be possible to use an api-token to log into a different account if you are already logged in.
This then becomes

if (!\XF::visitor()->user_id || \XF::visitor()->user_id !== $token->user_id)
{
    /** @var \XF\ControllerPlugin\Login $loginPlugin */
    $loginPlugin = $this->plugin('XF:Login');
    $loginPlugin->completeLogin($token->User, $remember);
}

or the condition removed entirely

Thanks

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.4).

Change log:

When logging in via an API generated token, allow the existing logged in user to be replaced (if logged in as a different user) with the new user if force=1 appended to the URL.

There may be a delay before changes are rolled out to the XenForo Community.

 

[Chris D]

This was mostly as designed but to add an additional layer of flexibility, from 2.2.4 onwards it is possible to append force=1 to the URL in order to force a replacement of the current logged in user.

 

[Rezpkt]

ty Chris