Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add paranoid flag to options #182

Closed
wants to merge 2 commits into from
Closed

Add paranoid flag to options #182

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d379104
Add paranoid flag
divagueame Nov 13, 2023
d897c78
Merge branch 'mikker:master' into paranoid-flag
divagueame Nov 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ Passwordless.configure do |config|
config.parent_mailer = "ActionMailer::Base"
config.restrict_token_reuse = false # Can a token/link be used multiple times?
config.token_generator = Passwordless::ShortTokenGenerator.new # Used to generate magic link tokens.
config.paranoid = false # Set to `true` to prevent unintentional email existence leaks in the database.

config.expires_at = lambda { 1.year.from_now } # How long until a signed in session expires.
config.timeout_at = lambda { 10.minutes.from_now } # How long until a token/magic link times out.
Expand Down
35 changes: 26 additions & 9 deletions app/controllers/passwordless/sessions_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,20 +21,20 @@ def new
# redirects to sign in page with generic flash message.
def create
unless @resource = find_authenticatable
raise(
ActiveRecord::RecordNotFound,
"Couldn't find #{authenticatable_type} with email #{passwordless_session_params[email_field]}"
)
if Passwordless.config.paranoid
@resource = mock_authenticatable
else
raise(
ActiveRecord::RecordNotFound,
"Couldn't find #{authenticatable_type} with email #{passwordless_session_params[email_field]}"
)
end
end

@session = build_passwordless_session(@resource)

if @session.save
if Passwordless.config.after_session_save.arity == 2
Passwordless.config.after_session_save.call(@session, request)
else
Passwordless.config.after_session_save.call(@session)
end
after_session_save_call

redirect_to(
Passwordless.context.path_for(
Expand Down Expand Up @@ -141,6 +141,16 @@ def artificially_slow_down_brute_force_attacks(token)
BCrypt::Password.create(token)
end

def after_session_save_call
# @resource is mocked when paranoid option is enabled and a non existent user tries to log in
return if @resource.instance_variable_get(:@mocked)
if Passwordless.config.after_session_save.arity == 2
Passwordless.config.after_session_save.call(@session, request)
else
Passwordless.config.after_session_save.call(@session)
end
end

def authenticate_and_sign_in(session, token)
if session.authenticate(token)
sign_in(session)
Expand Down Expand Up @@ -180,6 +190,13 @@ def find_authenticatable
end
end

def mock_authenticatable
email = passwordless_session_params[email_field].downcase.strip
resource = authenticatable_class.new(email: email)
resource.instance_variable_set(:@mocked, true)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this is a clever solution I also think it's a little bit too invasive, I guess. I wonder if we can come up with another solution that completely avoids having to mock anything?

resource
end

def email_field
authenticatable_class.passwordless_email_field
rescue NoMethodError => e
Expand Down
1 change: 1 addition & 0 deletions lib/passwordless/config.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ class Configuration
option :parent_mailer, default: "ActionMailer::Base"
option :restrict_token_reuse, default: true
option :token_generator, default: ShortTokenGenerator.new
option :paranoid, default: false

option :expires_at, default: lambda { 1.year.from_now }
option :timeout_at, default: lambda { 10.minutes.from_now }
Expand Down
28 changes: 28 additions & 0 deletions test/controllers/passwordless/sessions_controller_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,34 @@ class << User
assert_match "We couldn't find a user with that email address", flash[:error]
end

test("POST /:passwordless_for/sign_in -> SUCCESS / Paranoid flag enabled") do
create_user(email: "a@a")

with_config(paranoid: true) do
post("/users/sign_in", params: {passwordless: {email: "a@a"}})
end

assert_equal 302, status
assert_equal 1, ActionMailer::Base.deliveries.size

follow_redirect!
assert_equal "/users/sign_in/#{Session.last!.identifier}", path
assert_match "We've sent you an email with a secret token", flash[:notice]
end

test("POST /:passwordless_for/sign_in -> SUCCESS / Paranoid flag enabled. Does not leak existing emails") do
with_config(paranoid: true) do
post("/users/sign_in", params: {passwordless: {email: "a@a"}})
end

assert_equal 302, status

assert_equal 0, ActionMailer::Base.deliveries.size
follow_redirect!
assert_equal "/users/sign_in/#{Session.last!.identifier}", path
assert_match "We've sent you an email with a secret token", flash[:notice]
end

test("POST /:passwordless_for/sign_in -> ERROR / other error") do
create_user(email: "a@a")

Expand Down
Loading