fix: resolve session overlap when following email profile links

app/Http/Controllers/UserController.php

@@ -247,6 +247,24 @@ public function getLogin()
         return $this->login_strategy->getLogin();
     }
 
+    public function getProfileLink(LaravelRequest $request)
+    {
+        if (!$request->hasValidSignature()) {
+            abort(403);
+        }
+        $user_id = intval($request->query('user_id'));
+        $current = $this->auth_service->getCurrentUser();
+        if ($current && $current->getId() !== $user_id) {
+            $this->auth_service->logout();
+        }
+        if ($this->auth_service->getCurrentUser()) {
+            return Redirect::action("UserController@getProfile");
+        }
+        $user = $this->auth_service->getUserById($user_id);
+        $hint = $user ? $user->getEmail() : null;
+        return Redirect::action("UserController@getLogin", $hint ? ['login_hint' => $hint] : []);
+    }
+
     public function cancelLogin()
     {
         return $this->login_strategy->cancelLogin();

app/Mail/UserEmailVerificationRequest.php

@@ -47,7 +47,7 @@ final class UserEmailVerificationRequest extends Mailable
     /**
      * @var string
      */
-    public $bio_link;
+    public $profile_link;
 
     /**
      * The subject of the message.
@@ -66,7 +66,7 @@ public function __construct(User $user, string $verification_link)
         $this->verification_link = $verification_link;
         $this->user_email = $user->getEmail();
         $this->user_fullname = $user->getFullName();
-        $this->bio_link = URL::action("UserController@getLogin");
+        $this->profile_link = URL::signedRoute('auth.profile-link', ['user_id' => $user->getId()]);
     }
 
     /**

app/Mail/UserEmailVerificationSuccess.php

@@ -17,6 +17,7 @@
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\URL;
 
 /**
  * Class UserEmailVerificationSuccess
@@ -61,6 +62,11 @@ class UserEmailVerificationSuccess extends Mailable
      */
     public $user_is_complete;
 
+    /**
+     * @var string
+     */
+    public $profile_link;
+
     /**
      * UserEmailVerificationSuccess constructor.
      * @param User $user
@@ -80,6 +86,7 @@ public function __construct
             !empty($user->getLastName()) &&
             !empty($user->getCompany()) &&
             !empty($user->getCountry());
+        $this->profile_link = URL::signedRoute('auth.profile-link', ['user_id' => $user->getId()]);
     }
 
     /**

app/Mail/WelcomeNewUserEmail.php

@@ -42,7 +42,7 @@ class WelcomeNewUserEmail extends Mailable
     /**
      * @var string
      */
-    public $bio_link;
+    public $profile_link;
 
     /**
      * @var string
@@ -90,7 +90,7 @@ public function __construct
     {
         $this->user_email = $user->getEmail();
         $this->user_fullname = $user->getFullName();
-        $this->bio_link = URL::action("UserController@getLogin");
+        $this->profile_link = URL::signedRoute('auth.profile-link', ['user_id' => $user->getId()]);
         $this->user_is_complete = !empty($user->getFirstName()) &&
                                   !empty($user->getLastName()) &&
                                   !empty($user->getCompany()) &&

resources/views/emails/auth/email_verification_request.blade.php

@@ -19,7 +19,7 @@
         <tr>
             <td align="center" style="font-size:0px;padding:10px 25px;padding-right:16px;padding-left:25px;word-break:break-word;">
                 <div style="font-family:open Sans Helvetica, Arial, sans-serif;font-size:16px;line-height:1;text-align:center;color:#000000;">
-                    To edit your profile just click <a href="{!! $bio_link  !!}" target="_blank">here</a>. You may update your photo, add a bio, and other information you wish to share.
+                    To edit your profile just click <a href="{!! $profile_link  !!}" target="_blank">here</a>. You may update your photo, add a bio, and other information you wish to share.
                 </div>
             </td>
         </tr>

resources/views/emails/auth/email_verification_request_success.blade.php

@@ -19,7 +19,7 @@
         @if(!$user_is_complete)
         <tr>
             <td align="center" style="font-size:0px;padding:10px 25px;padding-right:16px;padding-left:25px;word-break:break-word;">
-                <div style="font-family:open Sans Helvetica, Arial, sans-serif;font-size:16px;line-height:1;text-align:center;color:#000000;">You may enter your profile details <a href="{!! URL::action("UserController@getLogin") !!}" target="_blank">here</a>.</div>
+                <div style="font-family:open Sans Helvetica, Arial, sans-serif;font-size:16px;line-height:1;text-align:center;color:#000000;">You may enter your profile details <a href="{!! $profile_link !!}" target="_blank">here</a>.</div>
             </td>
         </tr>
         @endif

resources/views/emails/welcome_new_user_email.blade.php

@@ -27,7 +27,7 @@
         <tr>
             <td align="center" style="font-size:0px;padding:10px 25px;padding-right:16px;padding-left:25px;word-break:break-word;">
                 <div style="font-family:open Sans Helvetica, Arial, sans-serif;font-size:16px;line-height:1;text-align:center;color:#000000;">
-                    To edit your profile just click <a href="{!! URL::action("UserController@getLogin") !!}">here</a>.
+                    To edit your profile just click <a href="{!! $profile_link !!}">here</a>.
                     You may update your photo, add a bio, and other information you wish to share.
                 </div>
             </td>

resources/views/emails/welcome_new_user_email_fn.blade.php

@@ -18,7 +18,7 @@
         @if(!$user_is_complete)
         <tr>
             <td align="center" style="font-size:0px;padding:10px 25px;padding-right:16px;padding-left:25px;word-break:break-word;">
-                <div style="font-family:open Sans Helvetica, Arial, sans-serif;font-size:16px;line-height:1;text-align:center;color:#000000;">If you have not entered your first name, last name, company, and country please <a href="{!! URL::action("UserController@getLogin") !!}" target="_blank">do so in your profile now</a>. You may also update your photo, add a bio, and provide other information you wish to share.</div>
+                <div style="font-family:open Sans Helvetica, Arial, sans-serif;font-size:16px;line-height:1;text-align:center;color:#000000;">If you have not entered your first name, last name, company, and country please <a href="{!! $profile_link !!}" target="_blank">do so in your profile now</a>. You may also update your photo, add a bio, and provide other information you wish to share.</div>
             </td>
         </tr>
         @endif

routes/web.php

@@ -69,6 +69,8 @@
             Route::post('', ['middleware' => 'csrf', 'uses' => 'Auth\EmailVerificationController@resend']);
         });
 
+        Route::get('profile-link', 'UserController@getProfileLink')->name('auth.profile-link');
+
         // password reset routes
 
         Route::group(array('prefix' => 'password'), function () {

start_local_server.sh

@@ -4,6 +4,7 @@ export DOCKER_SCAN_SUGGEST=false
 
 docker compose run --rm app composer install
 docker compose run --rm app php artisan doctrine:migrations:migrate --no-interaction
+docker compose run --rm app php artisan route:clear
 docker compose run --rm app php artisan db:seed --force
 docker compose run --rm app php artisan idp:create-super-admin test@test.com 1Qaz2wsx!
 docker compose run --rm app yarn install

tests/ProfileLinkSessionTest.php

@@ -0,0 +1,121 @@
+<?php namespace Tests;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Auth\User;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Session;
+use Illuminate\Support\Facades\URL;
+use LaravelDoctrine\ORM\Facades\EntityManager;
+
+/**
+ * Class ProfileLinkSessionTest
+ *
+ * Regression tests for the session-overlap bug: clicking a profile link from
+ * an email while a different user is already logged in must NOT land on the
+ * currently-authenticated user's profile.
+ */
+final class ProfileLinkSessionTest extends BrowserKitTestCase
+{
+    private User $user_a;
+    private User $user_b;
+
+    protected function prepareForTests(): void
+    {
+        parent::prepareForTests();
+        Session::start();
+        $this->user_a = EntityManager::getRepository(User::class)->findOneBy(['identifier' => 'sebastian.marcet']);
+        $this->user_b = EntityManager::getRepository(User::class)->findOneBy(['identifier' => '2']);
+    }
+
+    private function profileLinkFor(User $user): string
+    {
+        return URL::signedRoute('auth.profile-link', ['user_id' => $user->getId()]);
+    }
+
+    /**
+     * A tampered or forged signature must be rejected immediately with 403.
+     * This prevents an attacker from crafting links for arbitrary user IDs.
+     */
+    public function testTamperedSignatureReturns403(): void
+    {
+        $url = $this->profileLinkFor($this->user_a);
+        $tampered = preg_replace('/signature=[^&]+/', 'signature=invalid_forged_value', $url);
+
+        $this->call('GET', $tampered);
+
+        $this->assertResponseStatus(403);
+    }
+
+    /**
+     * An unauthenticated visitor following a valid link is redirected to the
+     * login page pre-filled with the email address of the link's owner.
+     */
+    public function testGuestFollowsLinkRedirectsToLoginWithHint(): void
+    {
+        $response = $this->call('GET', $this->profileLinkFor($this->user_a));
+
+        $this->assertResponseStatus(302);
+        $target = $response->getTargetUrl();
+        $this->assertStringContainsString('login', $target);
+        $this->assertStringContainsString(urlencode($this->user_a->getEmail()), $target);
+    }
+
+    /**
+     * The link's owner, already authenticated, is sent straight to their profile
+     * without having to log in again.
+     */
+    public function testOwnerAlreadyLoggedInRedirectsToProfile(): void
+    {
+        $this->be($this->user_a);
+
+        $response = $this->call('GET', $this->profileLinkFor($this->user_a));
+
+        $this->assertResponseStatus(302);
+        $this->assertStringContainsString('profile', $response->getTargetUrl());
+    }
+
+    /**
+     * Core regression: user B is logged in and follows user A's profile link.
+     * Must redirect to the login page (not to user B's profile), pre-filled
+     * with user A's email so the correct person can authenticate.
+     */
+    public function testDifferentUserLoggedInRedirectsToLoginNotProfile(): void
+    {
+        $this->be($this->user_b);
+
+        $response = $this->call('GET', $this->profileLinkFor($this->user_a));
+
+        $this->assertResponseStatus(302);
+        $target = $response->getTargetUrl();
+        $this->assertStringNotContainsString('profile', $target);
+        $this->assertStringContainsString('login', $target);
+        // Hint must point to user A, not user B
+        $this->assertStringContainsString(urlencode($this->user_a->getEmail()), $target);
+        $this->assertStringNotContainsString(urlencode($this->user_b->getEmail()), $target);
+    }
+
+    /**
+     * After user B follows user A's link, user B's session is invalidated.
+     * Auth::check() must return false — if it were true, user B's profile
+     * would still be accessible from the same browser.
+     */
+    public function testDifferentUserSessionIsInvalidatedAfterFollowingLink(): void
+    {
+        $this->be($this->user_b);
+
+        $this->call('GET', $this->profileLinkFor($this->user_a));
+
+        $this->assertFalse(Auth::check(), 'User B must be logged out after following user A\'s profile link');
+    }
+}