matthiask
commented
6 years ago I'm not completely sure what you're asking. Maybe you're referring to this?
When hitting the login view, the link passed with the next query parameter is saved in a cookie. The redirect only happens if the target is a safe URL: https://github.com/matthiask/django-authlib/blob/762d8612f5149076218bfd9a7eaa23c3658864af/authlib/views.py#L25
There might be a security hole somewhere (I'm no security expert) but I don't see the problem right away. Care to enlighten me?
I don't see any use in allow users to forward their magic links and exposing this larger security hole.
It would be nice if the library stored a cookie on the client when they request a magic link and when logging it, it can check to ensure the cookie is there, if not, the login attempt fails.