diff --git a/app/controllers/sessions/launchpad_controller.rb b/app/controllers/sessions/launchpad_controller.rb index 0e2ad16a7..8a9a082dd 100644 --- a/app/controllers/sessions/launchpad_controller.rb +++ b/app/controllers/sessions/launchpad_controller.rb @@ -1,8 +1,7 @@ class Sessions::LaunchpadController < ApplicationController require_unauthenticated_access - before_action :store_sig, only: :show - before_action :restore_and_clear_sig, only: :update + before_action :require_sig def show end @@ -17,11 +16,7 @@ class Sessions::LaunchpadController < ApplicationController end private - def store_sig - cookies[:_fizzy_launchpad_sig] = params.expect(:sig) - end - - def restore_and_clear_sig - @sig = cookies.delete :_fizzy_launchpad_sig + def require_sig + @sig = params.expect(:sig) end end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 428c5a7f4..fa7d98974 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -1,28 +1,6 @@ class SessionsController < ApplicationController - require_unauthenticated_access only: %i[ new create ] - rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." } - - before_action :require_first_run_completion - - def new - end - - def create - if user = User.active.authenticate_by(params.permit(:email_address, :password)) - start_new_session_for user - redirect_to after_authentication_url - else - redirect_to new_session_path, alert: "Try another email address or password." - end - end - def destroy terminate_session - redirect_to new_session_path + redirect_to Launchpad.login_url, allow_other_host: true end - - private - def require_first_run_completion - redirect_to first_run_path if Account.none? - end end diff --git a/app/views/sessions/launchpad/show.html.erb b/app/views/sessions/launchpad/show.html.erb index 897e39922..c9acf341d 100644 --- a/app/views/sessions/launchpad/show.html.erb +++ b/app/views/sessions/launchpad/show.html.erb @@ -1 +1,3 @@ -<%= auto_submit_form_with method: :put %> +<%= auto_submit_form_with(method: :put) do |form| %> + <%= form.hidden_field(:sig, value: @sig) %> +<% end %> diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb deleted file mode 100644 index d806a904f..000000000 --- a/app/views/sessions/new.html.erb +++ /dev/null @@ -1,30 +0,0 @@ -<% @page_title = "Sign in" %> - -
" style="--panel-size: 55ch;"> -

Fizzy

- - <%= form_with url: session_path, class: "flex flex-column gap txt-large" do |form| %> -
- -
- -
- -
- - - <% end %> -
- -<% content_for :footer do %> -
Fizzy™ version 0
-<% end %> diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb index 847782db8..2111155d6 100644 --- a/app/views/users/new.html.erb +++ b/app/views/users/new.html.erb @@ -2,7 +2,7 @@ <% content_for :header do %> diff --git a/config/routes.rb b/config/routes.rb index df5d8ad7c..27fdf59a6 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -84,11 +84,11 @@ Rails.application.routes.draw do get "join/:join_code", to: "users#new", as: :join post "join/:join_code", to: "users#create" - resource :session do + resource :session, only: :destroy do scope module: "sessions" do resources :transfers, only: %i[ show update ] + resource :launchpad, only: %i[ show update ], controller: "launchpad" end - resource :launchpad, only: %i[ show update ], controller: "sessions/launchpad" end namespace :signup do diff --git a/test/controllers/sessions/launchpad_controller_test.rb b/test/controllers/sessions/launchpad_controller_test.rb index 2ab50b2a0..c67ac8ee2 100644 --- a/test/controllers/sessions/launchpad_controller_test.rb +++ b/test/controllers/sessions/launchpad_controller_test.rb @@ -6,14 +6,16 @@ class Sessions::LaunchpadControllerTest < ActionDispatch::IntegrationTest assert_response :success - assert_equal cookies[:_fizzy_launchpad_sig], "test-sig" + assert_select "form input#sig" do |node| + assert_equal node.length, 1 + assert_equal node.first["value"], "test-sig" + end end test "create establishes a session when the sig is valid" do user = users(:david) - cookies[:_fizzy_launchpad_sig] = user.signal_user.perishable_signature - put session_launchpad_path + put session_launchpad_path(params: { sig: user.signal_user.perishable_signature }) assert_redirected_to root_url assert parsed_cookies.signed[:session_token] @@ -21,9 +23,8 @@ class Sessions::LaunchpadControllerTest < ActionDispatch::IntegrationTest test "returns 401 when the sig is invalid" do user = users(:david) - cookies[:sig] = "not-valid" - put session_launchpad_path + put session_launchpad_path(params: { sig: "invalid" }) assert_response :unauthorized end diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb index 1cf460c6c..35a6b0385 100644 --- a/test/controllers/sessions_controller_test.rb +++ b/test/controllers/sessions_controller_test.rb @@ -1,38 +1,10 @@ require "test_helper" class SessionsControllerTest < ActionDispatch::IntegrationTest - ALLOWED_BROWSER = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15" - DISALLOWED_BROWSER = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0" - - test "new" do - get new_session_path - assert_response :success - end - - test "new enforces browser compatibility" do - get new_session_path, env: { "HTTP_USER_AGENT" => DISALLOWED_BROWSER } - assert_select "svg", message: /Your browser is not supported/ - - get new_session_path, env: { "HTTP_USER_AGENT" => ALLOWED_BROWSER } - assert_select "svg", text: /Your browser is not supported/, count: 0 - end - - test "create with valid credentials" do - post session_path, params: { email_address: "david@37signals.com", password: "secret123456" } - assert_redirected_to root_path - assert cookies[:session_token].present? - end - - test "create with invalid credentials" do - post session_path, params: { email_address: "david@37signals.com", password: "wrong" } - assert_redirected_to new_session_path - assert_not cookies[:session_token].present? - end - test "destroy" do sign_in_as :kevin delete session_path - assert_redirected_to new_session_path + assert_redirected_to Launchpad.login_url assert_not cookies[:session_token].present? end end diff --git a/test/test_helpers/session_test_helper.rb b/test/test_helpers/session_test_helper.rb index 5e4f7eaf0..f4bb6aa45 100644 --- a/test/test_helpers/session_test_helper.rb +++ b/test/test_helpers/session_test_helper.rb @@ -6,7 +6,7 @@ module SessionTestHelper def sign_in_as(user) cookies[:session_token] = nil user = users(user) unless user.is_a? User - post session_path, params: { email_address: user.email_address, password: "secret123456" } + put session_launchpad_path, params: { sig: user.signal_user.perishable_signature } assert cookies[:session_token].present? end