Merge pull request #2086 from basecamp/harden-magic-links

Pin sign in attempts to the current session
This commit is contained in:
Stanko Krtalić
2025-12-12 07:23:19 +01:00
committed by GitHub
6 changed files with 60 additions and 5 deletions
@@ -5,6 +5,14 @@ class Sessions::MagicLinksControllerTest < ActionDispatch::IntegrationTest
untenanted do
get session_magic_link_url
assert_response :redirect, "Without an email address pending authentication, should redirect"
assert_redirected_to new_session_path
end
untenanted do
post session_path, params: { email_address: "test@example.com" }
get session_magic_link_url
assert_response :success
end
end
@@ -14,6 +22,7 @@ class Sessions::MagicLinksControllerTest < ActionDispatch::IntegrationTest
magic_link = MagicLink.create!(identity: identity)
untenanted do
post session_path, params: { email_address: identity.email_address }
post session_magic_link_url, params: { code: magic_link.code }
assert_response :redirect
@@ -28,6 +37,7 @@ class Sessions::MagicLinksControllerTest < ActionDispatch::IntegrationTest
magic_link = MagicLink.create!(identity: identity, purpose: :sign_up)
untenanted do
post session_path, params: { email_address: identity.email_address }
post session_magic_link_url, params: { code: magic_link.code }
assert_response :redirect
@@ -37,6 +47,20 @@ class Sessions::MagicLinksControllerTest < ActionDispatch::IntegrationTest
end
end
test "create with cross-user code" do
identity = identities(:kevin)
other_identity = identities(:jason)
magic_link = MagicLink.create!(identity: other_identity)
untenanted do
post session_path, params: { email_address: identity.email_address }
post session_magic_link_url, params: { code: magic_link.code }
assert_redirected_to new_session_path
assert_not cookies[:session_token].present?
end
end
test "create with invalid code" do
identity = identities(:kevin)
magic_link = MagicLink.create!(identity: identity)
+1
View File
@@ -18,6 +18,7 @@ module SessionTestHelper
magic_link = identity.magic_links.order(id: :desc).first
untenanted do
post session_path, params: { email_address: identity.email_address }
post session_magic_link_url, params: { code: magic_link.code }
end