class SessionsController < ApplicationController disallow_account_scope require_unauthenticated_access except: :destroy rate_limit to: 10, within: 3.minutes, only: :create, with: :rate_limit_exceeded layout "public" def new end def create if magic_link = magic_link_from_sign_in_or_sign_up serve_development_magic_link magic_link respond_to do |format| format.html { redirect_to_session_magic_link magic_link } format.json { render json: { pending_authentication_token: pending_authentication_token_for(email_address) }, status: :created } end else respond_to do |format| format.html { redirect_to session_magic_link_path } format.json { render json: { pending_authentication_token: pending_authentication_token_for(email_address) }, status: :created } end end end def destroy terminate_session redirect_to_logout_url end private def magic_link_from_sign_in_or_sign_up if identity = Identity.find_by_email_address(email_address) identity.send_magic_link else signup = Signup.new(email_address: email_address) signup.create_identity if signup.valid?(:identity_creation) && Account.accepting_signups? end end def email_address params.expect(:email_address) end def rate_limit_exceeded rate_limit_exceeded_message = "Try again later." respond_to do |format| format.html { redirect_to new_session_path, alert: rate_limit_exceeded_message } format.json { render json: { message: rate_limit_exceeded_message }, status: :too_many_requests } end end end