增加 授权二次验证

app/Http/Controllers/Web/AuthController.php

@@ -27,14 +27,12 @@ public function index(Request $request)
         // if logged in
         if ($request->callback) {
 
+            session(['callback' => $request->callback]);
+
+
             if (Auth::check()) {
-
-                // create token
-                $token = $request->user()->createToken('Auto login at ' . now());
-
-                return redirect($request->callback . '?token=' . $token->plainTextToken);
+                return redirect()->route('confirm_redirect');
             } else {
-                session(['callback' => $request->callback]);
                 return redirect()->route('login');
             }
         }
@@ -42,6 +40,16 @@ public function index(Request $request)
         return view('index');
     }
 
+    public function confirm_redirect(Request $request)
+    {
+        // create token
+
+        $callback = $request->callback ?? session('callback');
+
+
+        return view('confirm_redirect', compact('callback'));
+    }
+
     public function redirect(Request $request)
     {
         $request->session()->put('state', $state = Str::random(40));

resources/views/confirm_redirect.blade.php

@@ -0,0 +1,56 @@
+@extends('layouts.app')
+
+@section('title', '确认')
+
+@section('content')
+
+    @if (session('callback'))
+
+        @if(session('token'))
+
+            <h3>带你去目标站点...</h3>
+
+
+            <form action="{{ route('deleteAll') }}" method="post" class="mt-5">
+                @csrf
+                @method('delete')
+                <p>如果您反悔了，您还可以吊销全部 Token。</p>
+                <button class="btn btn-danger" type="submit">吊销全部 Token</button>
+            </form>
+
+            @php
+                session()->forget('callback');
+            @endphp
+
+            <script>
+                setTimeout(function () {
+                    window.location.href = "{{ $callback . '?token=' . session('token')}}";
+                }, 3000);
+            </script>
+        @else
+
+            <h3>您确定吗？</h3>
+            <p>一个应用程序正在试图自动获取您的 Token， 诺您信任它，请点击"好"。</p>
+
+            <p>您点击"好"后，您将前往这个地址: <code>{{ $callback }}</code>。</p>
+
+
+            <form action="{{ route('newToken') }}" name="newToken" method="POST">
+                @csrf
+                <input type="hidden" name="token_name" placeholder="Token 名字"
+                       value="自动登录 - {{ date('Y-m-d H:i:s') }}"/>
+                <button type="submit" class="btn btn-primary">好</button>
+
+                <a href="/" class="btn btn-danger">不，带我去首页。</a>
+
+            </form>
+
+        @endif
+    @else
+
+        <h3>嗯...还没有快捷登录。</h3>
+        <p>您可以返回应用重试登录，或者继续做您的事情。</p>
+
+    @endif
+
+@endsection

routes/web.php

@@ -9,6 +9,7 @@
     Route::view('banned', 'banned')->name('banned')->withoutMiddleware('banned');
     Route::post('logout', [AuthController::class, 'logout'])->name('logout')->withoutMiddleware('banned');
 
+    Route::get('confirm_redirect', [AuthController::class, 'confirm_redirect'])->name('confirm_redirect');
     Route::post('newToken', [AuthController::class, 'newToken'])->name('newToken');
     Route::delete('deleteAll', [AuthController::class, 'deleteAll'])->name('deleteAll');