Merge pull request #155 from joyofrails/feat/magic-login

Add authentication via magic link

Author: rossta

app/controllers/users/confirmations_controller.rb

@@ -10,7 +10,8 @@ def new
   end
 
   def create
-    @user = User.find_by(email: params.require(:user).permit(:email).dig(:email).to_s.downcase)
+    email = params.require(:user).permit(:email).dig(:email).to_s.downcase
+    @user = User.find_by(email: email)
 
     if @user.blank?
       return redirect_to new_users_confirmation_path, alert: "We are unable to confirm that email address"
@@ -26,7 +27,7 @@ def create
   end
 
   def edit
-    @user = User.find_by_token_for(:confirmation, params[:confirmation_token])
+    @user = User.find_by_token_for(:confirmation, params[:token])
 
     if @user.blank?
       return redirect_to new_users_confirmation_path, alert: "This link is invalid or expired"
@@ -36,11 +37,11 @@ def edit
       return redirect_to root_path, notice: "Your account has already been confirmed"
     end
 
-    render Users::Confirmations::EditView.new(user: @user, confirmation_token: params[:confirmation_token])
+    render Users::Confirmations::EditView.new(user: @user, confirmation_token: params[:token])
   end
 
   def update
-    @user = User.find_by_token_for(:confirmation, params[:confirmation_token])
+    @user = User.find_by_token_for(:confirmation, params[:token])
 
     if @user.blank?
       return redirect_to new_users_confirmation_path, alert: "That link is invalid or expired"

app/controllers/users/magic_session_tokens_controller.rb

@@ -0,0 +1,31 @@
+class Users::MagicSessionTokensController < ApplicationController
+  before_action :feature_enabled!
+  before_action :redirect_if_authenticated
+
+  def new
+    render Users::MagicSessionTokens::NewView.new(user: User.new)
+  end
+
+  def create
+    email = params.require(:user).permit(:email).dig(:email).to_s.downcase
+    @user = User.find_by(email: email)
+
+    if @user.present?
+      MagicSessionTokenNotifier.deliver_to(@user)
+    else
+      Emails::MagicSessionMailer.no_account_found(email).deliver_later
+    end
+
+    redirect_to root_path, notice: "We’ve sent an email with instructions to sign in"
+  end
+
+  def show
+    render Users::MagicSessionTokens::ShowView.new(user: User.new, magic_session_token: params[:token])
+  end
+
+  private
+
+  def feature_enabled!
+    redirect_to root_path, notice: "Coming soon!" unless Flipper.enabled?(:user_registration, current_admin_user)
+  end
+end

app/controllers/users/passwords_controller.rb

@@ -9,7 +9,8 @@ def new
   end
 
   def create
-    @user = User.find_by(email: params.require(:user).permit(:email).dig(:email).to_s.downcase)
+    email = params.require(:user).permit(:email).dig(:email).to_s.downcase
+    @user = User.find_by(email: email)
 
     if @user.blank?
       return redirect_to new_users_session_path, notice: "If that user exists we’ve sent instructions to their email"
@@ -25,7 +26,7 @@ def create
   end
 
   def edit
-    @user = User.find_by_token_for(:password_reset, params[:password_reset_token])
+    @user = User.find_by_token_for(:password_reset, params[:token])
 
     if @user.blank?
       return redirect_to new_users_password_path, alert: "That link is invalid or expired"
@@ -35,11 +36,11 @@ def edit
       return redirect_to new_users_confirmation_path, alert: "You must confirm your email before you can sign in"
     end
 
-    render Users::Passwords::EditView.new(user: @user, password_reset_token: params[:password_reset_token])
+    render Users::Passwords::EditView.new(user: @user, password_reset_token: params[:token])
   end
 
   def update
-    @user = User.find_by_token_for(:password_reset, params[:password_reset_token])
+    @user = User.find_by_token_for(:password_reset, params[:token])
 
     if @user.blank?
       flash.now[:alert] = "That link is invalid or expired"
@@ -54,7 +55,7 @@ def update
       redirect_to new_users_session_path, notice: "Password updated! Please sign in"
     else
       flash.now[:alert] = @user.errors.full_messages.to_sentence
-      render Users::Passwords::EditView.new(user: @user, password_reset_token: params[:password_reset_token]), status: :unprocessable_entity
+      render Users::Passwords::EditView.new(user: @user, password_reset_token: params[:token]), status: :unprocessable_entity
     end
   end
 

app/controllers/users/sessions_controller.rb

@@ -10,7 +10,7 @@ def new
   end
 
   def create
-    @user = warden.authenticate!(:password, scope: :user)
+    @user = warden.authenticate!(scope: :user)
 
     redirect_to login_success_path, notice: "Signed in successfully"
   end

app/lib/warden_extensions/setup.rb

@@ -11,13 +11,23 @@ def configure_manager
         class_name.constantize.find(id)
       end
 
-      # Hooks
-      # Warden::Manager.after_set_user do |user, auth, opts|
-      #   unless user.active?
-      #     auth.logout
-      #     throw(:warden, :message => "User not active")
-      #   end
-      # end
+      Warden::Manager.after_authentication do |user, auth, opts|
+        case opts[:scope]
+        when :user
+          user.signed_in!
+        when :admin_user
+          # no op
+        end
+
+        case auth.winning_strategy&.key
+        when :magic_session
+          user.confirm!
+        when :password
+          # no op
+        else # nil, as with test helpers
+          # no op
+        end
+      end
     end
   end
 end

app/lib/warden_extensions/strategies/magic_session.rb

@@ -0,0 +1,36 @@
+module WardenExtensions::Strategies
+  class MagicSession < ::Warden::Strategies::Base
+    def self.key
+      name.demodulize.underscore.to_sym
+    end
+
+    def key
+      self.class.key
+    end
+
+    def valid?
+      !!token
+    end
+
+    def authenticate!
+      user = scope_class.find_by_token_for(:magic_session, token)
+
+      return fail!(:invalid) if !user
+
+      success!(user)
+    end
+
+    private
+
+    def token
+      params["token"]
+    end
+
+    def scope_class
+      return User unless scope
+      scope.to_s.classify.constantize
+    end
+  end
+end
+
+::Warden::Strategies.add(:magic_session, WardenExtensions::Strategies::MagicSession)

app/lib/warden_extensions/password_strategy.rb renamed to app/lib/warden_extensions/strategies/password.rb

@@ -1,7 +1,15 @@
-module WardenExtensions
-  class PasswordStrategy < ::Warden::Strategies::Base
+module WardenExtensions::Strategies
+  class Password < ::Warden::Strategies::Base
+    def self.key
+      name.demodulize.underscore.to_sym
+    end
+
+    def key
+      self.class.key
+    end
+
     def valid?
-      scoped_params["email"] && scoped_params["password"]
+      !!(scoped_params["email"] && scoped_params["password"])
     end
 
     def authenticate!
@@ -13,14 +21,17 @@ def authenticate!
       success!(user)
     end
 
+    private
+
     def scoped_params
-      params[scope.to_s] || {}
+      params[scope.to_s] || params
     end
 
     def scope_class
+      return User unless scope
       scope.to_s.classify.constantize
     end
   end
 end
 
-::Warden::Strategies.add(:password, WardenExtensions::PasswordStrategy)
+::Warden::Strategies.add(:password, WardenExtensions::Strategies::Password)

app/mailers/application_mailer.rb

@@ -1,4 +1,16 @@
+# frozen_string_literal: true
+
 class ApplicationMailer < ActionMailer::Base
-  default from: "[email protected]"
+  prepend_view_path "app/views/emails"
+
+  SUPPORT_EMAIL = "[email protected]"
+
+  default from: email_address_with_name(SUPPORT_EMAIL, "Joy of Rails")
   layout "emails/mailer"
+
+  def support_email
+    email_address_with_name(SUPPORT_EMAIL, "Joy of Rails")
+  end
+
+  helper_method :support_email
 end

app/mailers/emails/magic_session_mailer.rb

@@ -0,0 +1,12 @@
+class Emails::MagicSessionMailer < ApplicationMailer
+  def sign_in_link(user, magic_session_token)
+    @user = user
+    @magic_session_token = magic_session_token
+
+    mail to: @user.email, subject: "Your sign-in link"
+  end
+
+  def no_account_found(email)
+    mail to: email, subject: "No account found", support_email: support_email
+  end
+end

app/mailers/emails/user_mailer.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 class Emails::UserMailer < ApplicationMailer
-  default from: "[email protected]"
-
   # Subject can be set in your I18n file at config/locales/en.yml
   # with the following lookup:
   #