From 89deb7c45eb2429b7b0e0eae600234debb0c3825 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jorge=20Gonz=C3=A1lez?= <steinkel@gmail.com>
Date: Sun, 12 Apr 2026 20:32:24 +0200
Subject: [PATCH] fix: correct config keys and hardcoded threshold in
 OneTimeLoginLinkBehavior

- Read threshold from OneTimeLogin.thresholdTimeout config (was hardcoded to 10s)
- Read token lifetime from OneTimeLogin.tokenLifeTime (was wrongly prefixed with Auth.)
---
 src/Model/Behavior/OneTimeLoginLinkBehavior.php              | 5 +++--
 .../TestCase/Model/Behavior/OneTimeLoginLinkBehaviorTest.php | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/Model/Behavior/OneTimeLoginLinkBehavior.php b/src/Model/Behavior/OneTimeLoginLinkBehavior.php
index d56f9e9f..e9186693 100644
--- a/src/Model/Behavior/OneTimeLoginLinkBehavior.php
+++ b/src/Model/Behavior/OneTimeLoginLinkBehavior.php
@@ -32,7 +32,8 @@ public function sendLoginLink(string $name): void
 
         $loginTokenDate = $user->login_token_date ?? null;
 
-        if ($loginTokenDate && $loginTokenDate > DateTime::now()->subSeconds(10)) {
+        $threshold = Configure::read('OneTimeLogin.thresholdTimeout', 60);
+        if ($loginTokenDate && $loginTokenDate > DateTime::now()->subSeconds($threshold)) {
             $this->requestTokenSend($name);
         } else {
             $token = bin2hex(random_bytes(32 / 2));
@@ -63,7 +64,7 @@ public function sendLoginLink(string $name): void
      */
     public function loginWithToken(string $token): ?EntityInterface
     {
-        $lifeTime = Configure::read('Auth.OneTimeLogin.tokenLifeTime', 600);
+        $lifeTime = Configure::read('OneTimeLogin.tokenLifeTime', 600);
         $user = $this->table()
             ->find('byOneTimeToken', token: $token)
             ->first();
diff --git a/tests/TestCase/Model/Behavior/OneTimeLoginLinkBehaviorTest.php b/tests/TestCase/Model/Behavior/OneTimeLoginLinkBehaviorTest.php
index 5020cf88..d5d6233a 100644
--- a/tests/TestCase/Model/Behavior/OneTimeLoginLinkBehaviorTest.php
+++ b/tests/TestCase/Model/Behavior/OneTimeLoginLinkBehaviorTest.php
@@ -157,7 +157,7 @@ public function testLoginWithTokenExpired(): void
             ['id' => $user->id],
         );
 
-        Configure::write('Auth.OneTimeLogin.tokenLifeTime', 600);
+        Configure::write('OneTimeLogin.tokenLifeTime', 600);
         $loggedUser = $this->Behavior->loginWithToken($token);
         $this->assertNull($loggedUser);
     }