Does forwarding magic link work?

[hgezim]

I don't see any use in allow users to forward their magic links and exposing this larger security hole.

It would be nice if the library stored a cookie on the client when they request a magic link and when logging it, it can check to ensure the cookie is there, if not, the login attempt fails.

[matthiask]

I'm not completely sure what you're asking. Maybe you're referring to this?

When hitting the login view, the link passed with the next query parameter is saved in a cookie. The redirect only happens if the target is a safe URL: https://github.com/matthiask/django-authlib/blob/762d8612f5149076218bfd9a7eaa23c3658864af/authlib/views.py#L25

There might be a security hole somewhere (I'm no security expert) but I don't see the problem right away. Care to enlighten me?

[matthiask]

Ah, I see what you're referring to. Sorry for being dense at first.

Yes, that would be a good addition.