Merge pull request #1792 from basecamp/magic-secure

Protect against sharing the magic link in development
This commit is contained in:
Jorge Manrubia
2025-12-02 10:54:23 +01:00
committed by GitHub
4 changed files with 16 additions and 2 deletions
@@ -4,6 +4,7 @@ module Authentication
included do
before_action :require_account # Checking and setting account must happen first
before_action :require_authentication
after_action :ensure_development_magic_link_not_leaked
helper_method :authenticated?
etag { Current.session.id if authenticated? }
@@ -89,4 +90,16 @@ module Authentication
Current.session.destroy
cookies.delete(:session_token)
end
def ensure_development_magic_link_not_leaked
unless Rails.env.development?
raise "Leaking magic link via flash in #{Rails.env}?" if flash[:magic_link_code].present?
end
end
def serve_development_magic_link(magic_link)
if Rails.env.development?
flash[:magic_link_code] = magic_link&.code
end
end
end
+1 -1
View File
@@ -42,7 +42,7 @@ class JoinCodesController < ApplicationController
terminate_session if Current.identity
magic_link = identity.send_magic_link
flash[:magic_link_code] = magic_link&.code if Rails.env.development?
serve_development_magic_link(magic_link)
session[:return_to_after_authenticating] = new_users_join_url(script_name: @join_code.account.slug)
end
+1 -1
View File
@@ -11,7 +11,7 @@ class SessionsController < ApplicationController
def create
if identity = Identity.find_by_email_address(email_address)
magic_link = identity.send_magic_link
flash[:magic_link_code] = magic_link&.code if Rails.env.development?
serve_development_magic_link(magic_link)
end
redirect_to session_magic_link_path
@@ -18,6 +18,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
end
assert_redirected_to session_magic_link_path
assert_nil flash[:magic_link_code]
end
end