after_login not fired after auto_login()

[josuesalas95]

Hi, I saw this issue from the old repo https://github.com/NoamB/sorcery/issues/632. I'm facing the same scenario as the author and I'm wondering if the change is still possible?

[joshbuker]

This definitely seems doable. My main question is how breaking this change would be for end users. Providing a config option for enabling this, while keeping the default disabled could also be a solution, although it would add more complexity.

@Sorcery/contributors and others, what are your thoughts on this?

[mladenilic]

I think it will have some weird effects. For example, activity logging (login time/ip) will be triggered on auto_login. So if admin hijacks user session, it will be tracked as if user himself logged in, which probably isn't expected behavior.

Does is make sense to have something like after_auto_login and allow users to inject callbacks there?

[joshbuker]

Having a separate callback hook sounds like it might work. One problem I could see though is being able to differentiate when auto_login is called by itself, vs by the normal login method. To me it feels like maybe the dynamic between auto_login and login isn't ideal and should be rethought.

[brianflanagan]

I'd be interested in this as a configurable option. We use auto_login for a passwordless login flow, so it'd be useful to make the behaviour mimic the typical login flow (e.g. activity logging).