From 877f82c0cc3da8846671f14c5134df6889b8e0ce Mon Sep 17 00:00:00 2001 From: Fernando Olivares Date: Fri, 12 Dec 2025 12:27:05 -0600 Subject: [PATCH] Pass a server token when creating a magic link via API --- app/controllers/concerns/authentication.rb | 14 +++++++++++++- app/controllers/sessions_controller.rb | 2 +- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index 4054a3078..dbea14ada 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -118,7 +118,19 @@ module Authentication end def email_address_pending_authentication - session[:email_address_pending_authentication] + if request.format.json? + verified_pending_authentication_token + else + session[:email_address_pending_authentication] + end + end + + def pending_authentication_token_for(email_address) + Rails.application.message_verifier(:pending_authentication).generate(email_address, expires_in: 10.minutes) + end + + def verified_pending_authentication_token + Rails.application.message_verifier(:pending_authentication).verified(params[:pending_authentication_token]) end def redirect_to_session_magic_link(magic_link, return_to: nil) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index a23fa69fc..8d93d1dc2 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -14,7 +14,7 @@ class SessionsController < ApplicationController respond_to do |format| format.html { redirect_to_session_magic_link magic_link } - format.json { head :created } + format.json { render json: { pending_authentication_token: pending_authentication_token_for(email_address) }, status: :created } end else head :unprocessable_entity