From 6e8d6a3df05de4255b4c7e72868168e3d09ba59c Mon Sep 17 00:00:00 2001 From: Fernando Olivares Date: Fri, 12 Dec 2025 13:05:33 -0600 Subject: [PATCH] Update to always return a pending auth token for JSON responses. --- app/controllers/sessions_controller.rb | 5 ++++- test/controllers/api_test.rb | 5 +++-- test/controllers/sessions_controller_test.rb | 19 +++++++------------ 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 8d93d1dc2..827f45f0b 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -17,7 +17,10 @@ class SessionsController < ApplicationController format.json { render json: { pending_authentication_token: pending_authentication_token_for(email_address) }, status: :created } end else - head :unprocessable_entity + respond_to do |format| + format.html { redirect_to session_magic_link_path } + format.json { render json: { pending_authentication_token: pending_authentication_token_for(email_address) }, status: :created } + end end end diff --git a/test/controllers/api_test.rb b/test/controllers/api_test.rb index cc9ed7507..053a14500 100644 --- a/test/controllers/api_test.rb +++ b/test/controllers/api_test.rb @@ -125,12 +125,13 @@ class ApiTest < ActionDispatch::IntegrationTest end end - test "create session with invalid email via JSON" do + test "create session with invalid email via JSON still returns token to prevent enumeration" do untenanted do assert_no_difference -> { Identity.count } do post session_path(format: :json), params: { email_address: "not-a-valid-email" } end - assert_response :unprocessable_entity + assert_response :created + assert @response.parsed_body["pending_authentication_token"].present? end end diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb index 78c7937e2..31fb84dd6 100644 --- a/test/controllers/sessions_controller_test.rb +++ b/test/controllers/sessions_controller_test.rb @@ -55,23 +55,18 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest end end - assert_response :unprocessable_entity + assert_redirected_to session_magic_link_path end end end - test "create with invalid email address" do - # Avoid Sentry exceptions when attackers try to stuff invalid emails. The browser performs form - # field validation that should normally prevent this from occurring, so I'm not worried about - # returning proper validation errors. - without_action_dispatch_exception_handling do - untenanted do - assert_no_difference -> { Identity.count } do - post session_path, params: { email_address: "not-a-valid-email" } - end - - assert_response :unprocessable_entity + test "create with invalid email address still redirects to prevent enumeration" do + untenanted do + assert_no_difference -> { Identity.count } do + post session_path, params: { email_address: "not-a-valid-email" } end + + assert_redirected_to session_magic_link_path end end