00eee29837
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form field will validate this in the browser, but if bots are creating identities, they can put whatever they want in here. So let's add some protection against that. The HtmlHelper regex was renamed here to avoid confusing Brakeman, which does imprecise constant lookup and was confusing the two constants, one of which uses `\A` and `\z` and the other does not (intentionally). ref: https://app.fizzy.do/5986089/cards/3276
29 lines
786 B
Ruby
29 lines
786 B
Ruby
class Identity < ApplicationRecord
|
|
include Joinable, Transferable
|
|
|
|
has_many :magic_links, dependent: :destroy
|
|
has_many :sessions, dependent: :destroy
|
|
has_many :users, dependent: :nullify
|
|
has_many :accounts, through: :users
|
|
|
|
has_one_attached :avatar
|
|
|
|
before_destroy :deactivate_users
|
|
|
|
validates :email_address, format: { with: URI::MailTo::EMAIL_REGEXP }
|
|
normalizes :email_address, with: ->(value) { value.strip.downcase.presence }
|
|
|
|
def send_magic_link(**attributes)
|
|
attributes[:purpose] = attributes.delete(:for) if attributes.key?(:for)
|
|
|
|
magic_links.create!(attributes).tap do |magic_link|
|
|
MagicLinkMailer.sign_in_instructions(magic_link).deliver_later
|
|
end
|
|
end
|
|
|
|
private
|
|
def deactivate_users
|
|
users.find_each(&:deactivate)
|
|
end
|
|
end
|