From c9ebb79dbde78dc7d5e053d53f87b0e1907ee6df Mon Sep 17 00:00:00 2001 From: Jorge Manrubia Date: Tue, 2 Dec 2025 10:51:14 +0100 Subject: [PATCH] Add some protections around sharing the magic link in development --- app/controllers/concerns/authentication.rb | 13 +++++++++++++ app/controllers/join_codes_controller.rb | 2 +- app/controllers/sessions_controller.rb | 2 +- test/controllers/sessions_controller_test.rb | 1 + 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index 23f82dbd2..89eda5887 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -4,6 +4,7 @@ module Authentication included do before_action :require_account # Checking and setting account must happen first before_action :require_authentication + after_action :ensure_development_magic_link_not_leaked helper_method :authenticated? etag { Current.session.id if authenticated? } @@ -89,4 +90,16 @@ module Authentication Current.session.destroy cookies.delete(:session_token) end + + def ensure_development_magic_link_not_leaked + unless Rails.env.development? + raise "Leaking magic link via flash in #{Rails.env}?" if flash[:magic_link_code].present? + end + end + + def serve_development_magic_link(magic_link) + if Rails.env.development? + flash[:magic_link_code] = magic_link&.code + end + end end diff --git a/app/controllers/join_codes_controller.rb b/app/controllers/join_codes_controller.rb index 440618c83..5b0977cd5 100644 --- a/app/controllers/join_codes_controller.rb +++ b/app/controllers/join_codes_controller.rb @@ -42,7 +42,7 @@ class JoinCodesController < ApplicationController terminate_session if Current.identity magic_link = identity.send_magic_link - flash[:magic_link_code] = magic_link&.code if Rails.env.development? + serve_development_magic_link(magic_link) session[:return_to_after_authenticating] = new_users_join_url(script_name: @join_code.account.slug) end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 72131e61c..31ca0006f 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -11,7 +11,7 @@ class SessionsController < ApplicationController def create if identity = Identity.find_by_email_address(email_address) magic_link = identity.send_magic_link - flash[:magic_link_code] = magic_link&.code if Rails.env.development? + serve_development_magic_link(magic_link) end redirect_to session_magic_link_path diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb index 8edf74573..9dbcc770d 100644 --- a/test/controllers/sessions_controller_test.rb +++ b/test/controllers/sessions_controller_test.rb @@ -18,6 +18,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest end assert_redirected_to session_magic_link_path + assert_nil flash[:magic_link_code] end end