Trampoline the Launchpad auth redirect from a GET into a POST

to always route it to the writer.
This commit is contained in:
Mike Dalessio
2025-06-20 13:42:48 -04:00
parent 8b68eab6a8
commit 2c18173f08
4 changed files with 48 additions and 2 deletions
@@ -1,12 +1,27 @@
class Sessions::LaunchpadController < ApplicationController
require_unauthenticated_access
before_action :store_sig, only: :show
before_action :restore_and_clear_sig, only: :update
def show
if user = Current.account.signal_account.authenticate(sig: params[:sig]).try(:peer)
end
def update
if user = Current.account.signal_account.authenticate(sig: @sig).try(:peer)
start_new_session_for user
redirect_to after_authentication_url
else
render plain: "Authentication failed. This is probably a bug.", status: :unauthorized
end
end
private
def store_sig
cookies[:_fizzy_launchpad_sig] = params.expect(:sig)
end
def restore_and_clear_sig
@sig = cookies.delete :_fizzy_launchpad_sig
end
end
@@ -0,0 +1 @@
<%= auto_submit_form_with method: :put %>
+1 -1
View File
@@ -85,7 +85,7 @@ Rails.application.routes.draw do
scope module: "sessions" do
resources :transfers, only: %i[ show update ]
end
get "launchpad", to: "sessions/launchpad#show"
resource :launchpad, only: %i[ show update ], controller: "sessions/launchpad"
end
namespace :signup do
@@ -0,0 +1,30 @@
require "test_helper"
class Sessions::LaunchpadControllerTest < ActionDispatch::IntegrationTest
test "show renders when not signed in" do
get session_launchpad_path(params: { sig: "test-sig" })
assert_response :success
assert_equal cookies[:_fizzy_launchpad_sig], "test-sig"
end
test "create establishes a session when the sig is valid" do
user = users(:david)
cookies[:_fizzy_launchpad_sig] = user.signal_user.perishable_signature
put session_launchpad_path
assert_redirected_to root_url
assert parsed_cookies.signed[:session_token]
end
test "returns 401 when the sig is invalid" do
user = users(:david)
cookies[:sig] = "not-valid"
put session_launchpad_path
assert_response :unauthorized
end
end