From c0a0786539b7aacc9f0cb4c91b4a8e689eaeb55e Mon Sep 17 00:00:00 2001 From: "Stanko K.R." Date: Fri, 5 Dec 2025 17:54:58 +0100 Subject: [PATCH] Return the session cookie We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication. --- app/controllers/sessions/magic_links_controller.rb | 13 ++++--------- test/controllers/api_test.rb | 2 +- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/app/controllers/sessions/magic_links_controller.rb b/app/controllers/sessions/magic_links_controller.rb index 958e8834a..d83e7f807 100644 --- a/app/controllers/sessions/magic_links_controller.rb +++ b/app/controllers/sessions/magic_links_controller.rb @@ -34,16 +34,11 @@ class Sessions::MagicLinksController < ApplicationController def respond_to_valid_code_from(magic_link) if email_address_pending_authentication_matches?(magic_link.identity.email_address) - respond_to do |format| - format.html do - start_new_session_for magic_link.identity - redirect_to after_sign_in_url(magic_link) - end + start_new_session_for magic_link.identity - format.json do - new_access_token = magic_link.identity.access_tokens.create!(permission: :write) - render json: { access_token: new_access_token.token } - end + respond_to do |format| + format.html { redirect_to after_sign_in_url(magic_link) } + format.json { render json: { session_token: cookies[:session_token] } } end else alert_message = "Authentication failed. Please try again." diff --git a/test/controllers/api_test.rb b/test/controllers/api_test.rb index d8ae510d5..1830dc2a3 100644 --- a/test/controllers/api_test.rb +++ b/test/controllers/api_test.rb @@ -20,7 +20,7 @@ class ApiTest < ActionDispatch::IntegrationTest untenanted do post session_magic_link_path(format: :json), params: { code: magic_link.code } assert_response :success - assert @response.parsed_body["access_token"].present? + assert @response.parsed_body["session_token"].present? end end