diff --git a/app/controllers/sessions/launchpad_controller.rb b/app/controllers/sessions/launchpad_controller.rb index 9409f2c85..0e2ad16a7 100644 --- a/app/controllers/sessions/launchpad_controller.rb +++ b/app/controllers/sessions/launchpad_controller.rb @@ -1,12 +1,27 @@ class Sessions::LaunchpadController < ApplicationController require_unauthenticated_access + before_action :store_sig, only: :show + before_action :restore_and_clear_sig, only: :update + def show - if user = Current.account.signal_account.authenticate(sig: params[:sig]).try(:peer) + end + + def update + if user = Current.account.signal_account.authenticate(sig: @sig).try(:peer) start_new_session_for user redirect_to after_authentication_url else render plain: "Authentication failed. This is probably a bug.", status: :unauthorized end end + + private + def store_sig + cookies[:_fizzy_launchpad_sig] = params.expect(:sig) + end + + def restore_and_clear_sig + @sig = cookies.delete :_fizzy_launchpad_sig + end end diff --git a/app/views/sessions/launchpad/show.html.erb b/app/views/sessions/launchpad/show.html.erb new file mode 100644 index 000000000..897e39922 --- /dev/null +++ b/app/views/sessions/launchpad/show.html.erb @@ -0,0 +1 @@ +<%= auto_submit_form_with method: :put %> diff --git a/config/routes.rb b/config/routes.rb index 99ac09b83..0e32a0b25 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -85,7 +85,7 @@ Rails.application.routes.draw do scope module: "sessions" do resources :transfers, only: %i[ show update ] end - get "launchpad", to: "sessions/launchpad#show" + resource :launchpad, only: %i[ show update ], controller: "sessions/launchpad" end namespace :signup do diff --git a/test/controllers/sessions/launchpad_controller_test.rb b/test/controllers/sessions/launchpad_controller_test.rb new file mode 100644 index 000000000..2ab50b2a0 --- /dev/null +++ b/test/controllers/sessions/launchpad_controller_test.rb @@ -0,0 +1,30 @@ +require "test_helper" + +class Sessions::LaunchpadControllerTest < ActionDispatch::IntegrationTest + test "show renders when not signed in" do + get session_launchpad_path(params: { sig: "test-sig" }) + + assert_response :success + + assert_equal cookies[:_fizzy_launchpad_sig], "test-sig" + end + + test "create establishes a session when the sig is valid" do + user = users(:david) + cookies[:_fizzy_launchpad_sig] = user.signal_user.perishable_signature + + put session_launchpad_path + + assert_redirected_to root_url + assert parsed_cookies.signed[:session_token] + end + + test "returns 401 when the sig is invalid" do + user = users(:david) + cookies[:sig] = "not-valid" + + put session_launchpad_path + + assert_response :unauthorized + end +end