Prohibit access to magic links unless an email address

This commit is contained in:
Stanko K.R.
2025-12-11 19:17:39 +01:00
parent b6edb93c47
commit abaed12124
2 changed files with 13 additions and 3 deletions
+6 -3
View File
@@ -6,6 +6,7 @@ module Authentication
before_action :require_authentication
after_action :ensure_development_magic_link_not_leaked
helper_method :authenticated?
helper_method :email_address_pending_authentication
etag { Current.identity.id if authenticated? }
@@ -108,9 +109,7 @@ module Authentication
end
def email_address_pending_authentication_matches?(email_address)
pending_email_address = session.fetch(:email_address_pending_authentication, "")
if ActiveSupport::SecurityUtils.secure_compare(email_address, pending_email_address)
if ActiveSupport::SecurityUtils.secure_compare(email_address, email_address_pending_authentication || "")
session.delete(:email_address_pending_authentication)
true
else
@@ -118,6 +117,10 @@ module Authentication
end
end
def email_address_pending_authentication
session[:email_address_pending_authentication]
end
def redirect_to_session_magic_link(magic_link, return_to: nil)
serve_development_magic_link(magic_link)
session[:email_address_pending_authentication] = magic_link.identity.email_address if magic_link
@@ -2,6 +2,7 @@ class Sessions::MagicLinksController < ApplicationController
disallow_account_scope
require_unauthenticated_access
rate_limit to: 10, within: 15.minutes, only: :create, with: -> { redirect_to session_magic_link_path, alert: "Wait 15 minutes, then try again" }
before_action :ensure_that_email_address_pending_authentication_exists
layout "public"
@@ -17,6 +18,12 @@ class Sessions::MagicLinksController < ApplicationController
end
private
def ensure_that_email_address_pending_authentication_exists
unless email_address_pending_authentication.present?
redirect_to new_session_path, alert: "Enter your email address to sign in."
end
end
def authenticate_with(magic_link)
if email_address_pending_authentication_matches?(magic_link.identity.email_address)
start_new_session_for magic_link.identity