Stanko K.R.
ca388c2b84
Replace handle_ naming
2025-12-19 19:21:58 +01:00
Stanko K.R.
e0270c6c49
Clean up interfaces
...
I talked to the mobile team, and to keep things simple we agreed to send
the token via a cookie.
2025-12-19 19:21:57 +01:00
Stanko K.R.
1a1f4a077b
Simplify auth logic
2025-12-19 19:21:57 +01:00
Fernando Olivares
cddddcf83a
Fix due to unit test when creating with invalid emails
2025-12-19 19:21:57 +01:00
Fernando Olivares
b3c8d02709
Cleanup session creation
2025-12-19 19:21:57 +01:00
Fernando Olivares
6e8d6a3df0
Update to always return a pending auth token for JSON responses.
2025-12-19 19:21:57 +01:00
Fernando Olivares
877f82c0cc
Pass a server token when creating a magic link via API
2025-12-19 19:21:57 +01:00
Fernando Olivares
a75a939289
Simplify code a bit
2025-12-19 19:21:57 +01:00
Fernando Olivares
360e14352f
Simplify session create logic for both html and json
2025-12-19 19:21:57 +01:00
Stanko K.R.
e5bdb3b071
Add back missing development magic link prompt
2025-12-19 19:21:57 +01:00
Stanko K.R.
b92982b244
Cleanup & simplify sign in
2025-12-19 19:21:57 +01:00
Fernando Olivares
ab0f7a3ea5
Dev: Set magic link as header when JSON request in development
2025-12-19 19:21:57 +01:00
Fernando Olivares
c8eb592746
Allow JSON requests to send a magic link
2025-12-19 19:21:57 +01:00
Stanko K.R.
b6edb93c47
Pin sign in attempts to the current session
...
This makes it way more difficult to brute-force a magic link.
Original implementation by udiudi. Ref: https://github.com/udiudi/fizzy/pull/1/files
Discussion: https://github.com/basecamp/fizzy/discussions/1981
Co-Authored-By: Udi <udi@udi.codes >
2025-12-11 19:05:54 +01:00
Adam Haris
eb8655dc8e
refactor: use MULTI_TENANT env variable, model concern instead of controller (#accepting_signups?)
2025-12-10 15:14:22 +01:00
Adam Haris
bec6036533
refactor
2025-12-10 07:36:03 +01:00
Mike Dalessio
0160f215f2
Validate email before creating identity during sign-up and sign-in
...
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.
Also:
- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
2025-12-06 16:52:16 -05:00
Stanko K.R.
a8f328c921
Sign up new users on sign in
2025-12-04 11:30:21 +01:00
Jorge Manrubia
c9ebb79dbd
Add some protections around sharing the magic link in development
2025-12-02 10:51:14 +01:00
Stanko K.R.
658b5a07cf
Organize everything under Signups
2025-11-29 11:46:09 +01:00
Stanko K.R.
5747445977
Create signups controller
2025-11-29 10:15:48 +01:00
Jorge Manrubia
d4ad62109c
Rename/extract methods
2025-11-28 15:53:58 +01:00
Jorge Manrubia
4e09352c09
Bring simple signup flow from the fizzy-saas gem
...
We skip the QB code and we fill external account ids automatically on creation with a sequence
See:
https://github.com/basecamp/fizzy-saas/pull/7
2025-11-28 15:53:58 +01:00
Mike Dalessio
47c05e6d6a
Restore basic auth on signup
...
broken in 6e304958
2025-11-19 14:12:59 -05:00
David Heinemeier Hansson
6e304958be
No need to protect local dev/test
2025-11-18 14:32:54 +01:00
Stanko K.R.
8fa9566c07
Update sign up
2025-11-17 09:12:40 -05:00
Mike Dalessio
89d1299ec0
Fix authentication on "untenanted" controllers
...
trying out the name "disallow_account_scope" for this, but I don't
think it's quite right yet.
2025-11-17 09:11:47 -05:00
Mike Dalessio
086a9ceada
Revert some auth pieces of "Account.sole → Current.account"
2025-11-17 09:11:45 -05:00
Mike Dalessio
d41d50d52b
Account.sole → Current.account
...
and some other de-tenant changes, including removing the controller
tenanting concerns
2025-11-17 09:11:40 -05:00
David Heinemeier Hansson
1bab9e95aa
Don't want to use real credentials in dev either
2025-11-08 16:29:29 +01:00
Stanko K.R.
bbe74966a1
Extract saas helpers into a concern
2025-11-07 07:08:24 +01:00
Stanko K.R.
3f4d500103
Unify sign in and sign up
2025-11-07 07:06:25 +01:00
Mike Dalessio
d6db4c930b
Print the magic link code in the console in development
2025-11-06 14:51:25 -05:00
David Heinemeier Hansson
877e62dec5
No CR when there are only two statements
2025-11-02 16:30:49 +01:00
Stanko Krtalić
98755844a1
Remove the internal API
...
* Bind sessions to identities
* Remove references to the identity token
* Move email changes to identity
* Move account menu into a turbo-frame
* Create tenants from a tenanted route
2025-10-31 16:26:08 +01:00
Jason Zimdars
5652e5699f
Update design, logo, and copy
2025-10-31 16:26:08 +01:00
Stanko K.R.
201c3e27d3
Update tests for the Internal API
2025-10-31 16:26:08 +01:00
Stanko K.R.
c8843360fe
Clean up and simplify magic links
2025-10-31 16:23:38 +01:00
Stanko K.R.
5cef4ffeb0
Add sign in flow using magic links
2025-10-31 16:22:12 +01:00
Mike Dalessio
2630e4bd74
Extract 37id and QB controllers, models, and tests
2025-09-13 16:03:02 -04:00
Mike Dalessio
e84cd529d5
The "sign out" button now clears the Launchpad login.
...
ref: https://fizzy.37signals.com/5986089/collections/2/cards/1382
2025-08-15 12:25:10 -04:00
Mike Dalessio
57269b1b9c
Allow local authentication with LOCAL_AUTHENTICATION=1
...
You can touch `tmp/local-auth.txt` to persist this setting.
2025-08-06 17:05:35 -04:00
Mike Dalessio
fa1c5f7279
Remove session controller actions other than delete
...
and do some general cleanup around sessions controllers and the
sign_in_as test helper
2025-07-02 15:03:28 -04:00
Kevin McConnell
c84926692e
Never show login page to a logged in user
2025-01-13 14:20:42 +00:00
David Heinemeier Hansson
b53a2b8880
Fix url reference
2024-10-19 19:07:48 -07:00
David Heinemeier Hansson
b7efd04a43
Use _path consistently in the controllers when not changing host
2024-10-19 19:00:04 -07:00
Jeffrey Hardy
7863bb5862
Prompt for first-run setup when no accounts exist
2024-09-30 13:17:31 -04:00
Jeffrey Hardy
1d2de248ee
Only active users can authenticate
2024-09-24 15:51:38 -04:00
Jeffrey Hardy
e3983d5bbe
Use Rails' new sessions generator to replace the existing setup
...
Ref: https://github.com/rails/rails/pull/52328
2024-08-20 14:17:05 -04:00
Kevin McConnell
c4fb1bdc76
Add minimal authentication flow to get started
2024-06-21 16:45:29 +01:00