diff --git a/app/controllers/sessions/launchpad_controller.rb b/app/controllers/sessions/launchpad_controller.rb
index 0e2ad16a7..8a9a082dd 100644
--- a/app/controllers/sessions/launchpad_controller.rb
+++ b/app/controllers/sessions/launchpad_controller.rb
@@ -1,8 +1,7 @@
class Sessions::LaunchpadController < ApplicationController
require_unauthenticated_access
- before_action :store_sig, only: :show
- before_action :restore_and_clear_sig, only: :update
+ before_action :require_sig
def show
end
@@ -17,11 +16,7 @@ class Sessions::LaunchpadController < ApplicationController
end
private
- def store_sig
- cookies[:_fizzy_launchpad_sig] = params.expect(:sig)
- end
-
- def restore_and_clear_sig
- @sig = cookies.delete :_fizzy_launchpad_sig
+ def require_sig
+ @sig = params.expect(:sig)
end
end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 428c5a7f4..fa7d98974 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,28 +1,6 @@
class SessionsController < ApplicationController
- require_unauthenticated_access only: %i[ new create ]
- rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }
-
- before_action :require_first_run_completion
-
- def new
- end
-
- def create
- if user = User.active.authenticate_by(params.permit(:email_address, :password))
- start_new_session_for user
- redirect_to after_authentication_url
- else
- redirect_to new_session_path, alert: "Try another email address or password."
- end
- end
-
def destroy
terminate_session
- redirect_to new_session_path
+ redirect_to Launchpad.login_url, allow_other_host: true
end
-
- private
- def require_first_run_completion
- redirect_to first_run_path if Account.none?
- end
end
diff --git a/app/views/sessions/launchpad/show.html.erb b/app/views/sessions/launchpad/show.html.erb
index 897e39922..c9acf341d 100644
--- a/app/views/sessions/launchpad/show.html.erb
+++ b/app/views/sessions/launchpad/show.html.erb
@@ -1 +1,3 @@
-<%= auto_submit_form_with method: :put %>
+<%= auto_submit_form_with(method: :put) do |form| %>
+ <%= form.hidden_field(:sig, value: @sig) %>
+<% end %>
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
deleted file mode 100644
index d806a904f..000000000
--- a/app/views/sessions/new.html.erb
+++ /dev/null
@@ -1,30 +0,0 @@
-<% @page_title = "Sign in" %>
-
-
" style="--panel-size: 55ch;">
-
Fizzy
-
- <%= form_with url: session_path, class: "flex flex-column gap txt-large" do |form| %>
-
-
-
-
-
-
-
-
-
- <% end %>
-
-
-<% content_for :footer do %>
- Fizzy™ version 0
-<% end %>
diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb
index 847782db8..2111155d6 100644
--- a/app/views/users/new.html.erb
+++ b/app/views/users/new.html.erb
@@ -2,7 +2,7 @@
<% content_for :header do %>
diff --git a/config/routes.rb b/config/routes.rb
index df5d8ad7c..27fdf59a6 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -84,11 +84,11 @@ Rails.application.routes.draw do
get "join/:join_code", to: "users#new", as: :join
post "join/:join_code", to: "users#create"
- resource :session do
+ resource :session, only: :destroy do
scope module: "sessions" do
resources :transfers, only: %i[ show update ]
+ resource :launchpad, only: %i[ show update ], controller: "launchpad"
end
- resource :launchpad, only: %i[ show update ], controller: "sessions/launchpad"
end
namespace :signup do
diff --git a/test/controllers/sessions/launchpad_controller_test.rb b/test/controllers/sessions/launchpad_controller_test.rb
index 2ab50b2a0..c67ac8ee2 100644
--- a/test/controllers/sessions/launchpad_controller_test.rb
+++ b/test/controllers/sessions/launchpad_controller_test.rb
@@ -6,14 +6,16 @@ class Sessions::LaunchpadControllerTest < ActionDispatch::IntegrationTest
assert_response :success
- assert_equal cookies[:_fizzy_launchpad_sig], "test-sig"
+ assert_select "form input#sig" do |node|
+ assert_equal node.length, 1
+ assert_equal node.first["value"], "test-sig"
+ end
end
test "create establishes a session when the sig is valid" do
user = users(:david)
- cookies[:_fizzy_launchpad_sig] = user.signal_user.perishable_signature
- put session_launchpad_path
+ put session_launchpad_path(params: { sig: user.signal_user.perishable_signature })
assert_redirected_to root_url
assert parsed_cookies.signed[:session_token]
@@ -21,9 +23,8 @@ class Sessions::LaunchpadControllerTest < ActionDispatch::IntegrationTest
test "returns 401 when the sig is invalid" do
user = users(:david)
- cookies[:sig] = "not-valid"
- put session_launchpad_path
+ put session_launchpad_path(params: { sig: "invalid" })
assert_response :unauthorized
end
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
index 1cf460c6c..35a6b0385 100644
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -1,38 +1,10 @@
require "test_helper"
class SessionsControllerTest < ActionDispatch::IntegrationTest
- ALLOWED_BROWSER = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15"
- DISALLOWED_BROWSER = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0"
-
- test "new" do
- get new_session_path
- assert_response :success
- end
-
- test "new enforces browser compatibility" do
- get new_session_path, env: { "HTTP_USER_AGENT" => DISALLOWED_BROWSER }
- assert_select "svg", message: /Your browser is not supported/
-
- get new_session_path, env: { "HTTP_USER_AGENT" => ALLOWED_BROWSER }
- assert_select "svg", text: /Your browser is not supported/, count: 0
- end
-
- test "create with valid credentials" do
- post session_path, params: { email_address: "david@37signals.com", password: "secret123456" }
- assert_redirected_to root_path
- assert cookies[:session_token].present?
- end
-
- test "create with invalid credentials" do
- post session_path, params: { email_address: "david@37signals.com", password: "wrong" }
- assert_redirected_to new_session_path
- assert_not cookies[:session_token].present?
- end
-
test "destroy" do
sign_in_as :kevin
delete session_path
- assert_redirected_to new_session_path
+ assert_redirected_to Launchpad.login_url
assert_not cookies[:session_token].present?
end
end
diff --git a/test/test_helpers/session_test_helper.rb b/test/test_helpers/session_test_helper.rb
index 5e4f7eaf0..f4bb6aa45 100644
--- a/test/test_helpers/session_test_helper.rb
+++ b/test/test_helpers/session_test_helper.rb
@@ -6,7 +6,7 @@ module SessionTestHelper
def sign_in_as(user)
cookies[:session_token] = nil
user = users(user) unless user.is_a? User
- post session_path, params: { email_address: user.email_address, password: "secret123456" }
+ put session_launchpad_path, params: { sig: user.signal_user.perishable_signature }
assert cookies[:session_token].present?
end