Add verified_at timestamp to use for spam prevention

User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:

- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
  authenticated with the correct identity)

Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).

This sets up for later commits that will backfill existing users and
require verification before sending notification emails.

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Mike Dalessio
2025-12-04 20:20:20 -05:00
parent fa549a370b
commit 4602cd3cdd
16 changed files with 101 additions and 9 deletions
@@ -36,7 +36,7 @@ class JoinCodesControllerTest < ActionDispatch::IntegrationTest
end
assert_redirected_to session_magic_link_url(script_name: nil)
assert_equal new_users_join_url(script_name: @account.slug), session[:return_to_after_authenticating]
assert_equal new_users_verification_url(script_name: @account.slug), session[:return_to_after_authenticating]
end
test "create for existing identity" do
@@ -55,7 +55,7 @@ class JoinCodesControllerTest < ActionDispatch::IntegrationTest
assert_redirected_to landing_url(script_name: @account.slug)
end
test "create for signed-in identity without a user in the account redirects to user setup" do
test "create for signed-in identity without a user in the account redirects to verification" do
identity = identities(:mike)
sign_in_as :mike
@@ -67,6 +67,6 @@ class JoinCodesControllerTest < ActionDispatch::IntegrationTest
end
end
assert_redirected_to new_users_join_url(script_name: @account.slug)
assert_redirected_to new_users_verification_url(script_name: @account.slug)
end
end