Return the session cookie

We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication.

Author: monorkin

app/controllers/sessions/magic_links_controller.rb

@@ -22,15 +22,15 @@ def code
     end
 
     def respond_to_valid_code_from(magic_link)
+      start_new_session_for magic_link.identity
+
       respond_to do |format|
         format.html do
-          start_new_session_for magic_link.identity
           redirect_to after_sign_in_url(magic_link)
         end
 
         format.json do
-          new_access_token = magic_link.identity.access_tokens.create!(permission: :write)
-          render json: { access_token: new_access_token.token }
+          render json: { session_token: cookies[:session_token] }
         end
       end
     end

test/controllers/api_test.rb

@@ -20,7 +20,7 @@ class ApiTest < ActionDispatch::IntegrationTest
     untenanted do
       post session_magic_link_path(format: :json), params: { code: magic_link.code }
       assert_response :success
-      assert @response.parsed_body["access_token"].present?
+      assert @response.parsed_body["session_token"].present?
     end
   end