The Laravel Socialite docs say:
The
stateless
method may be used to disable session state verification. This is useful when adding social authentication to an API:
return Socialite::driver('google')->stateless()->user();
"Disable session state verification" sounds scary to me. The docs don't elaborate on what the security trade-off is.
In what cases is session state verification important, and why?
Background info and context:
My Socialite flow (using Facebook) is working completely fine when I use stateless()
.
But if I remove stateless()
, only the "normal case" part of my flow works, and the part of the flow that re-requests "email" permissions (if a user omits them at first) does not work and instead results in Laravel\Socialite\Two\InvalidStateException
.
Also, I'm not calling $provider->stateless()->user()
more than once per request because I know from these docs that it removes a "state" variable from the session and therefore would fail on subsequent calls.
(I use getRedirectLoginHelper()->getReRequestUrl($redirectUrl, ['email'])
. See FacebookRedirectLoginHelper doc)
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire