Fix authentication on "untenanted" controllers

trying out the name "disallow_account_scope" for this, but I don't
think it's quite right yet.
This commit is contained in:
Mike Dalessio
2025-11-10 14:25:15 -05:00
parent 086a9ceada
commit 89d1299ec0
11 changed files with 23 additions and 22 deletions
+1 -1
View File
@@ -4,7 +4,7 @@ class SessionsController < ApplicationController
SIGNUP_PASSWORD = Rails.env.local? ? "testpassword" : Rails.application.credentials.account_signup_http_basic_auth.password
http_basic_authenticate_with name: SIGNUP_USERNAME, password: SIGNUP_PASSWORD, realm: "Fizzy Signup", only: :create, unless: -> { Identity.exists?(email_address: email_address) }
require_untenanted_access
disallow_account_scope
require_unauthenticated_access except: :destroy
rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }