Extracting a QR login from a production app and closing 11 security holes before merge

QR login is one of those features that looks tiny on the roadmap and turns out to be a security minefield. You show a QR code in the browser, scan it with a phone you are already signed in on, and the web session logs itself in. WhatsApp Web, Telegram Web, Steam. Everyone has used it. Nobody thinks about what happens behind it.

I had a working version of this in an app I already run in production. So when it came time to add cross-device login to the LaraFoundry core, I did what I do with every module: I extracted the real code instead of writing a fresh one from a blog post. Extracting beats greenfield because the logic already survived contact with real users. But there is a catch, and it is the whole point of this post: code that works is not the same as code that is safe. The donor version worked fine and had eleven things I was not willing to ship.

This is the list. Every hole, and what it became.

The flow, in one paragraph

The browser (a guest, not logged in) asks the backend for a sign-in request and renders it as a QR. A second device that is already authenticated scans the code and hits a verify endpoint to approve it. Meanwhile the browser polls until the request flips to approved, then logs the user in. Three endpoints: generate, verify, poll. Simple shape, lots of sharp edges.