Commit Graph

53 Commits

Author SHA1 Message Date
Stanko K.R. 017bcc9ce1 Polish up Passkey interface
- Fix indentation
- Split awkward initializer into separate methods
- Rename credentials to passkeys
- Simplify authenticator registry loading
- Flatten nested errors under ActionPack::WebAuthn
- Set passkey current params only requests that use it
- Inline anemic methods
- Replace custom validation with ActiveModel::Validation
- Rename identity to holder in Passkey
- Rename credentials to passkeys in JS
- Extract framework library out of controllers
- Pass params hashes down to ActionPack
- Attempt to simplify public interface
- Push data decoding down to the classes representing the data
- Introduce has_passkeys
- Add CBOR bigint support
- Rename ActionPack::WebAuthn::Passkey to ActionPack::Passkey
- Add create_passkey_button helper
- Rename public-key to creation-options
- Add sign_in_with_passkey_button helper
- Dispatch events for the whole Passkey lifecycle
- Add ED25519 support
- Prevent crash on missing meta tag
- Validate resident key options
- Don't clobber existing ActionPack config options
- Validate cryptographic params
- Move CurrentWebAuthnRequest into ActionPack::Passkey
- Use ActiveModel::Attributes for Options objects
- Implement expiring challanges
- Add lifecycle events
- Extract param helpers into Request
- Add passkey_creation_options and passkey_request_options helpers
- Add create_passkey_challenge to make it easier to override the create method if needed
- Prefix all view helpers with passkey_
- Auto-include ActionPack::Passkey::Holder
- Make the passkey challange url configurable
- Add a reminder about Passkeys to the magic link email
2026-03-18 11:51:10 +01:00
Stanko K.R. da69039476 Implement Passkey authentication 2026-03-18 11:49:23 +01:00
Rosa Gutierrez c059e0b216 Add JSON format support to session destroy for native API clients
This is so that native API clients can get the session record deleted
server-side. They still need to take care of clearing any cookies
they've set in web views.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-27 19:59:30 +01:00
Stanko K.R. ca388c2b84 Replace handle_ naming 2025-12-19 19:21:58 +01:00
Stanko K.R. e0270c6c49 Clean up interfaces
I talked to the mobile team, and to keep things simple we agreed to send
the token via a cookie.
2025-12-19 19:21:57 +01:00
Stanko K.R. 1a1f4a077b Simplify auth logic 2025-12-19 19:21:57 +01:00
Fernando Olivares cddddcf83a Fix due to unit test when creating with invalid emails 2025-12-19 19:21:57 +01:00
Fernando Olivares b3c8d02709 Cleanup session creation 2025-12-19 19:21:57 +01:00
Fernando Olivares 6e8d6a3df0 Update to always return a pending auth token for JSON responses. 2025-12-19 19:21:57 +01:00
Fernando Olivares 877f82c0cc Pass a server token when creating a magic link via API 2025-12-19 19:21:57 +01:00
Fernando Olivares a75a939289 Simplify code a bit 2025-12-19 19:21:57 +01:00
Fernando Olivares 360e14352f Simplify session create logic for both html and json 2025-12-19 19:21:57 +01:00
Stanko K.R. e5bdb3b071 Add back missing development magic link prompt 2025-12-19 19:21:57 +01:00
Stanko K.R. b92982b244 Cleanup & simplify sign in 2025-12-19 19:21:57 +01:00
Fernando Olivares ab0f7a3ea5 Dev: Set magic link as header when JSON request in development 2025-12-19 19:21:57 +01:00
Fernando Olivares c8eb592746 Allow JSON requests to send a magic link 2025-12-19 19:21:57 +01:00
Stanko K.R. b6edb93c47 Pin sign in attempts to the current session
This makes it way more difficult to brute-force a magic link.

Original implementation by udiudi. Ref: https://github.com/udiudi/fizzy/pull/1/files

Discussion: https://github.com/basecamp/fizzy/discussions/1981

Co-Authored-By: Udi <udi@udi.codes>
2025-12-11 19:05:54 +01:00
Adam Haris eb8655dc8e refactor: use MULTI_TENANT env variable, model concern instead of controller (#accepting_signups?) 2025-12-10 15:14:22 +01:00
Adam Haris bec6036533 refactor 2025-12-10 07:36:03 +01:00
Mike Dalessio 0160f215f2 Validate email before creating identity during sign-up and sign-in
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

Also:

- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
2025-12-06 16:52:16 -05:00
Stanko K.R. a8f328c921 Sign up new users on sign in 2025-12-04 11:30:21 +01:00
Jorge Manrubia c9ebb79dbd Add some protections around sharing the magic link in development 2025-12-02 10:51:14 +01:00
Stanko K.R. 658b5a07cf Organize everything under Signups 2025-11-29 11:46:09 +01:00
Stanko K.R. 5747445977 Create signups controller 2025-11-29 10:15:48 +01:00
Jorge Manrubia d4ad62109c Rename/extract methods 2025-11-28 15:53:58 +01:00
Jorge Manrubia 4e09352c09 Bring simple signup flow from the fizzy-saas gem
We skip the QB code and we fill external account ids automatically on creation with a sequence

See:
https://github.com/basecamp/fizzy-saas/pull/7
2025-11-28 15:53:58 +01:00
Mike Dalessio 47c05e6d6a Restore basic auth on signup
broken in 6e304958
2025-11-19 14:12:59 -05:00
David Heinemeier Hansson 6e304958be No need to protect local dev/test 2025-11-18 14:32:54 +01:00
Stanko K.R. 8fa9566c07 Update sign up 2025-11-17 09:12:40 -05:00
Mike Dalessio 89d1299ec0 Fix authentication on "untenanted" controllers
trying out the name "disallow_account_scope" for this, but I don't
think it's quite right yet.
2025-11-17 09:11:47 -05:00
Mike Dalessio 086a9ceada Revert some auth pieces of "Account.sole → Current.account" 2025-11-17 09:11:45 -05:00
Mike Dalessio d41d50d52b Account.sole → Current.account
and some other de-tenant changes, including removing the controller
tenanting concerns
2025-11-17 09:11:40 -05:00
David Heinemeier Hansson 1bab9e95aa Don't want to use real credentials in dev either 2025-11-08 16:29:29 +01:00
Stanko K.R. bbe74966a1 Extract saas helpers into a concern 2025-11-07 07:08:24 +01:00
Stanko K.R. 3f4d500103 Unify sign in and sign up 2025-11-07 07:06:25 +01:00
Mike Dalessio d6db4c930b Print the magic link code in the console in development 2025-11-06 14:51:25 -05:00
David Heinemeier Hansson 877e62dec5 No CR when there are only two statements 2025-11-02 16:30:49 +01:00
Stanko Krtalić 98755844a1 Remove the internal API
* Bind sessions to identities
* Remove references to the identity token
* Move email changes to identity
* Move account menu into a turbo-frame
* Create tenants from a tenanted route
2025-10-31 16:26:08 +01:00
Jason Zimdars 5652e5699f Update design, logo, and copy 2025-10-31 16:26:08 +01:00
Stanko K.R. 201c3e27d3 Update tests for the Internal API 2025-10-31 16:26:08 +01:00
Stanko K.R. c8843360fe Clean up and simplify magic links 2025-10-31 16:23:38 +01:00
Stanko K.R. 5cef4ffeb0 Add sign in flow using magic links 2025-10-31 16:22:12 +01:00
Mike Dalessio 2630e4bd74 Extract 37id and QB controllers, models, and tests 2025-09-13 16:03:02 -04:00
Mike Dalessio e84cd529d5 The "sign out" button now clears the Launchpad login.
ref: https://fizzy.37signals.com/5986089/collections/2/cards/1382
2025-08-15 12:25:10 -04:00
Mike Dalessio 57269b1b9c Allow local authentication with LOCAL_AUTHENTICATION=1
You can touch `tmp/local-auth.txt` to persist this setting.
2025-08-06 17:05:35 -04:00
Mike Dalessio fa1c5f7279 Remove session controller actions other than delete
and do some general cleanup around sessions controllers and the
sign_in_as test helper
2025-07-02 15:03:28 -04:00
Kevin McConnell c84926692e Never show login page to a logged in user 2025-01-13 14:20:42 +00:00
David Heinemeier Hansson b53a2b8880 Fix url reference 2024-10-19 19:07:48 -07:00
David Heinemeier Hansson b7efd04a43 Use _path consistently in the controllers when not changing host 2024-10-19 19:00:04 -07:00
Jeffrey Hardy 7863bb5862 Prompt for first-run setup when no accounts exist 2024-09-30 13:17:31 -04:00