Validate email before creating identity during sign-up and sign-in

Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

Also:

- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
This commit is contained in:
Mike Dalessio
2025-12-06 16:52:16 -05:00
parent 95ba2c01b8
commit 0160f215f2
7 changed files with 64 additions and 37 deletions
+21 -7
View File
@@ -36,15 +36,29 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
end
end
private
test "destroy" do
sign_in_as :kevin
test "create with invalid email address" do
# Avoid Sentry exceptions when attackers try to stuff invalid emails. The browser performs form
# field validation that should normally prevent this from occurring, so I'm not worried about
# returning proper validation errors.
without_action_dispatch_exception_handling do
untenanted do
delete session_path
assert_no_difference -> { Identity.count } do
post session_path, params: { email_address: "not-a-valid-email" }
end
assert_redirected_to new_session_path
assert_not cookies[:session_token].present?
assert_response :unprocessable_entity
end
end
end
test "destroy" do
sign_in_as :kevin
untenanted do
delete session_path
assert_redirected_to new_session_path
assert_not cookies[:session_token].present?
end
end
end