Validate email before creating identity during sign-up and sign-in

Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

Also:

- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
This commit is contained in:
Mike Dalessio
2025-12-06 16:52:16 -05:00
parent 95ba2c01b8
commit 0160f215f2
7 changed files with 64 additions and 37 deletions
+5 -11
View File
@@ -20,8 +20,11 @@ class JoinCodesController < ApplicationController
elsif identity == Current.identity
redirect_to new_users_verification_url(script_name: @join_code.account.slug)
else
logout_and_send_new_magic_link(identity)
redirect_to session_magic_link_url(script_name: nil)
terminate_session if Current.identity
redirect_to_session_magic_link \
identity.send_magic_link,
return_to: new_users_verification_url(script_name: @join_code.account.slug)
end
end
@@ -37,13 +40,4 @@ class JoinCodesController < ApplicationController
render :inactive, status: :gone
end
end
def logout_and_send_new_magic_link(identity)
terminate_session if Current.identity
magic_link = identity.send_magic_link
serve_development_magic_link(magic_link)
session[:return_to_after_authenticating] = new_users_verification_url(script_name: @join_code.account.slug)
end
end