request->getGet('token'); /** @var UserIdentityModel $identityModel */ $identityModel = model(UserIdentityModel::class); $identity = $identityModel->getIdentityBySecret(Session::ID_TYPE_MAGIC_LINK, $token); $identifier = $token ?? ''; // No token found? if ($identity === null) { $this->recordLoginAttempt($identifier, false); $credentials = ['magicLinkToken' => $token]; Events::trigger('failedLogin', $credentials); return redirect()->route('magic-link')->with('error', lang('Auth.magicTokenNotFound')); } // Delete the db entry so it cannot be used again. $identityModel->delete($identity->id); // Token expired? if (Time::now()->isAfter($identity->expires)) { $this->recordLoginAttempt($identifier, false); $credentials = ['magicLinkToken' => $token]; Events::trigger('failedLogin', $credentials); return redirect()->route('magic-link')->with('error', lang('Auth.magicLinkExpired')); } /** @var Session $authenticator */ $authenticator = auth('session')->getAuthenticator(); // If an action has been defined if ($authenticator->hasAction($identity->user_id)) { return redirect()->route('auth-action-show')->with('error', lang('Auth.forcePasswordChange')); } // Log the user in $authenticator->loginById($identity->user_id); $user = $authenticator->getUser(); $this->recordLoginAttempt($identifier, true, $user->id); // Give the developer a way to know the user // logged in via a magic link. session()->setTempdata('magicLogin', true); Events::trigger('magicLogin'); $user->forcePasswordReset(); // Get our login redirect url return redirect()->to('/set-password'); } private function recordLoginAttempt( string $identifier, bool $success, $userId = null ): void { /** @var LoginModel $loginModel */ $loginModel = model(LoginModel::class); $loginModel->recordLoginAttempt( Session::ID_TYPE_MAGIC_LINK, $identifier, $success, $this->request->getIPAddress(), (string) $this->request->getUserAgent(), $userId ); } }