0160f215f2
Avoid Sentry exceptions when attackers try to stuff invalid emails. The browser performs form field validation that should normally prevent this from occurring, so we just return 422 without validation error messages. Also: - extract redirect_to_session_magic_link helper - some controller refactoring and cleanup
34 lines
815 B
Ruby
34 lines
815 B
Ruby
class SessionsController < ApplicationController
|
|
disallow_account_scope
|
|
require_unauthenticated_access except: :destroy
|
|
rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }
|
|
|
|
layout "public"
|
|
|
|
def new
|
|
end
|
|
|
|
def create
|
|
if identity = Identity.find_by_email_address(email_address)
|
|
redirect_to_session_magic_link identity.send_magic_link
|
|
else
|
|
signup = Signup.new(email_address: email_address)
|
|
if signup.valid?(:identity_creation)
|
|
redirect_to_session_magic_link signup.create_identity
|
|
else
|
|
head :unprocessable_entity
|
|
end
|
|
end
|
|
end
|
|
|
|
def destroy
|
|
terminate_session
|
|
redirect_to_logout_url
|
|
end
|
|
|
|
private
|
|
def email_address
|
|
params.expect(:email_address)
|
|
end
|
|
end
|