after_login not fired after auto_login()
Hi, I saw this issue from the old repo https://github.com/NoamB/sorcery/issues/632. I'm facing the same scenario as the author and I'm wondering if the change is still possible?
This definitely seems doable. My main question is how breaking this change would be for end users. Providing a config option for enabling this, while keeping the default disabled could also be a solution, although it would add more complexity.
@Sorcery/contributors and others, what are your thoughts on this?
I think it will have some weird effects. For example, activity logging (login time/ip) will be triggered on auto_login. So if admin hijacks user session, it will be tracked as if user himself logged in, which probably isn't expected behavior.
Does is make sense to have something like after_auto_login and allow users to inject callbacks there?
Having a separate callback hook sounds like it might work. One problem I could see though is being able to differentiate when auto_login is called by itself, vs by the normal login method. To me it feels like maybe the dynamic between auto_login and login isn't ideal and should be rethought.
I'd be interested in this as a configurable option. We use auto_login for a passwordless login flow, so it'd be useful to make the behaviour mimic the typical login flow (e.g. activity logging).