New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RememberMe + Socialite #45945
Comments
You can circumvent this by setting a random password when registering the user. I'm not sure it's wise to change anything here right now with the change being so old. |
@joelbutcher if I open a PR on socialstream for this, do you prefer a doc tweak or a change to enforce a random password if remember me is enabled? |
@lsmith77 I agree with Dries on this, setting a random password per user and emailing this out to them would be the best mitigation of the sec issue. But, since you're exclusively wanting to use OAuth for authentication and remove email + password auth, I'd prefer this to be a documented "gotcha" rather than a sec related issue Socialstreams tries to solve for all developers as everyone could potentially want a different solution for this. |
@joelbutcher ok .. on what repo should this be documented? framework, jetstream or socialstream? |
@lsmith77 Please send documentation updates to joelbutcher/socialstream-docs |
Description:
The issue is a regression caused by: #34020
Steps To Reproduce:
Setup a Laravel app with Socialite (Socialstream in my case). Use social login exclusively to authenticate. As a result password will be empty on the user and therefore the user will be immediately logged out after they were authenticated via their remember me cookie due to the
! $passwordHash
check inAuthenticateSession::handle()
framework/src/Illuminate/Session/Middleware/AuthenticateSession.php
Line 46 in 35be259
A "fix" would be to set a default password on all users but this feels like a security issue waiting to happen.
The text was updated successfully, but these errors were encountered: