tiennm99/coolify
1
0
Fork 0
mirror of https://github.com/tiennm99/coolify.git synced 2026-06-25 21:06:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): bind magic links to their invitation

Browse Source 
Include the invitation UUID in generated magic link tokens and validate the
matching stored invitation link before logging the user in, preventing stale
or same-email invitations from being reused.
This commit is contained in:
Andras Bacsai
2026-06-02 12:57:30 +02:00
parent 40d570f195
commit cd06e10b1b
4 changed files with 45 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/Controller.php
+13 -2
View File
@@ -109,14 +109,25 @@ class Controller extends BaseController
return redirect()->route('login')->with('error', 'Invalid credentials.');
}
[$email, $password] = explode('@@@', $decrypted, 2);
$payload = explode('@@@', $decrypted, 3);
if (count($payload) === 3) {
[$email, $invitationUuid, $password] = $payload;
} else {
[$email, $password] = $payload;
$invitationUuid = null;
}
$email = Str::lower($email);
$user = User::whereEmail($email)->first();
if (! $user) {
return redirect()->route('login');
}
$invitation = TeamInvitation::whereEmail($email)->first();
$invitation = TeamInvitation::query()
->where('email', $email)
->when($invitationUuid, fn ($query) => $query->where('uuid', $invitationUuid))
->where('link', request()->fullUrl())
->first();
if (! $invitation || ! $invitation->isValid()) {
return redirect()->route('login')->with('error', 'Invitation has expired or been revoked.');
}