class SessionsController < ApplicationController allow_unauthenticated_access only: %i[ new create ] rate_limit to: 10, within: 3.minutes, only: :create, with: -> { render_rejection :too_many_requests } def new end def create if user = User.active.authenticate_by(user_params) start_new_session_for user redirect_to post_authenticating_url else render_rejection :unauthorized end end def destroy reset_authentication redirect_to root_url end private def user_params params.require(:user).permit(:email_address, :password) end def render_rejection(status) flash[:alert] = "Too many requests or unauthorized." render :new, status: status end end