From 800db0b99debdbfb4e93e264e3aa8b05147ab4f9 Mon Sep 17 00:00:00 2001
From: Damodar Lohani <dlohani48@gmail.com>
Date: Sun, 14 Sep 2025 05:23:30 +0000
Subject: [PATCH] Fix magic URL token length

---
 app/controllers/api/account.php                        | 5 +++--
 tests/e2e/Services/Account/AccountCustomClientTest.php | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index ed2f839b5b..3059f3e815 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -2034,7 +2034,8 @@ App::post('/v1/account/tokens/magic-url')
             Authorization::skip(fn () => $dbForProject->createDocument('users', $user));
         }
 
-        $tokenSecret = $proofForToken->generate();
+        $proofsForTokenMagicUrl = new ProofsToken(TOKEN_LENGTH_MAGIC_URL);
+        $tokenSecret = $proofsForTokenMagicUrl->generate();
         $expire = DateTime::formatTz(DateTime::addSeconds(new \DateTime(), TOKEN_EXPIRATION_CONFIRM));
 
         $token = new Document([
@@ -2042,7 +2043,7 @@ App::post('/v1/account/tokens/magic-url')
             'userId' => $user->getId(),
             'userInternalId' => $user->getSequence(),
             'type' => TOKEN_TYPE_MAGIC_URL,
-            'secret' => $proofForToken->hash($tokenSecret), // One way hash encryption to protect DB leak
+            'secret' => $proofsForTokenMagicUrl->hash($tokenSecret), // One way hash encryption to protect DB leak
             'expire' => $expire,
             'userAgent' => $request->getUserAgent('UNKNOWN'),
             'ip' => $request->getIP(),
diff --git a/tests/e2e/Services/Account/AccountCustomClientTest.php b/tests/e2e/Services/Account/AccountCustomClientTest.php
index a8035ff234..bd3fec8439 100644
--- a/tests/e2e/Services/Account/AccountCustomClientTest.php
+++ b/tests/e2e/Services/Account/AccountCustomClientTest.php
@@ -2698,7 +2698,7 @@ class AccountCustomClientTest extends Scope
         $this->assertStringContainsStringIgnoringCase('Sign in to '. $this->getProject()['name'] . ' with your secure link. Expires in 1 hour.', $lastEmail['text']);
         $this->assertStringNotContainsStringIgnoringCase('security phrase', $lastEmail['text']);
 
-        $token = substr($lastEmail['text'], strpos($lastEmail['text'], '&secret=', 0) + 8, 256);
+        $token = substr($lastEmail['text'], strpos($lastEmail['text'], '&secret=', 0) + 8, 64);
 
         $expireTime = strpos($lastEmail['text'], 'expire=' . urlencode($response['body']['expire']), 0);