Skip to content

Mobile: Native log in #1941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
olivaresf wants to merge 30 commits into
base: main
Choose a base branch
from
Open

Mobile: Native log in #1941

olivaresf wants to merge 30 commits into from
+219 −33

Conversation

@olivaresf
Copy link
Contributor

@olivaresf olivaresf commented Dec 4, 2025
edited
Loading

Adds JSON API support for the magic link authentication flow, enabling native mobile clients to authenticate. Instead of setting a cookie as an added security measure, we're sending back a pending_authentication_token that needs to be returned to the server when validating a code.

POST /session.json { email_address: "..." }

  • Returns { pending_authentication_token: "..." } (201)
  • Token expires in 10 minutes.
  • If a magic link cannot be sent, the web redirects to session_magic_link_path, so there's no leak regarding email presence. For that reason, this endpoint always returns a pending_authentication_token even if no email was sent.
  • If an invalid email is sent, we return :unprocessable_entity just like the web.

POST /session/magic_link.json { code: "...", pending_authentication_token: "..." }

  • Returns { session_token: "..." } (200)
  • Returns 401 if token missing, expired, invalid code, or email mismatch

@olivaresf olivaresf requested review from jayohms and monorkin December 4, 2025 23:11
@jyroscoped
Copy link

jyroscoped commented Dec 4, 2025

  • I would recommend extracting the rate_limit_exceeded_message string into a constant or locale file, as it's duplicated across both controllers and might need to be updated in multiple places.
  • The safe navigation operator usage in Sessions::SessionsController#create with identity&.send_magic_link could mask issues—consider whether silently failing to send a magic link when the identity doesn't exist is the intended behavior, or if you should handle this case more explicitly.
  • In respond_to_valid_code_from, creating an access token and rendering user data in the JSON response assumes the API client should receive sensitive information immediately after authentication. I would recommend documenting the security implications or reconsidering what data gets exposed in this endpoint.
  • The rate_limit_exceeded method is now duplicated between Sessions::MagicLinksController and SessionsController. I would recommend extracting this into a shared concern or module to reduce duplication.
  • In Sessions::SessionsController#create, the HTML format still calls serve_development_magic_link(magic_link) even when magic_link is nil (if identity doesn't exist). This could cause unexpected behavior—I would recommend adding a guard clause or handling the nil case explicitly.
  • The X-Magic-Link-Code header is being set in the JSON response only in development, which is fine for development workflows, but I would recommend documenting this behavior clearly to prevent accidental exposure in production.

1 similar comment
@jyroscoped
Copy link

jyroscoped commented Dec 4, 2025

  • I would recommend extracting the rate_limit_exceeded_message string into a constant or locale file, as it's duplicated across both controllers and might need to be updated in multiple places.
  • The safe navigation operator usage in Sessions::SessionsController#create with identity&.send_magic_link could mask issues—consider whether silently failing to send a magic link when the identity doesn't exist is the intended behavior, or if you should handle this case more explicitly.
  • In respond_to_valid_code_from, creating an access token and rendering user data in the JSON response assumes the API client should receive sensitive information immediately after authentication. I would recommend documenting the security implications or reconsidering what data gets exposed in this endpoint.
  • The rate_limit_exceeded method is now duplicated between Sessions::MagicLinksController and SessionsController. I would recommend extracting this into a shared concern or module to reduce duplication.
  • In Sessions::SessionsController#create, the HTML format still calls serve_development_magic_link(magic_link) even when magic_link is nil (if identity doesn't exist). This could cause unexpected behavior—I would recommend adding a guard clause or handling the nil case explicitly.
  • The X-Magic-Link-Code header is being set in the JSON response only in development, which is fine for development workflows, but I would recommend documenting this behavior clearly to prevent accidental exposure in production.

@olivaresf
Copy link
Contributor Author

olivaresf commented Dec 5, 2025

Thanks for your feedback! This is a WIP and isn't ready yet 😄

@monorkin monorkin force-pushed the mobile/native-log-in branch 2 times, most recently from aaa225a to b74d8b0 Compare December 5, 2025 10:25
@monorkin monorkin force-pushed the mobile/native-log-in branch 3 times, most recently from 5dbbcaa to 4c62455 Compare December 5, 2025 10:59
@monorkin
Copy link
Contributor

monorkin commented Dec 5, 2025

@olivaresf seems like you don't have your email address added to Github so it doesn't show proper attribution on your commits.
(After rebasing, they look like I made them, but that should fix itself after you add your email address)

monorkin
monorkin reviewed Dec 5, 2025
View reviewed changes
@monorkin
Copy link
Contributor

monorkin commented Dec 5, 2025
edited
Loading

I pushed a few small changes and added comments to point them out.

@olivaresf olivaresf force-pushed the mobile/native-log-in branch from 9462b97 to af9c1b6 Compare December 5, 2025 21:24
@monorkin monorkin force-pushed the mobile/native-log-in branch from ad62957 to 558f9ca Compare December 9, 2025 14:14
@monorkin monorkin force-pushed the basic-api branch 2 times, most recently from 3f17434 to 79e77a3 Compare December 10, 2025 08:24
@monorkin monorkin force-pushed the mobile/native-log-in branch from 558f9ca to f35690b Compare December 10, 2025 08:38
Base automatically changed from basic-api to main December 10, 2025 14:44
@olivaresf olivaresf force-pushed the mobile/native-log-in branch from 1b15f41 to f35690b Compare December 10, 2025 20:07
olivaresf and others added 8 commits December 11, 2025 14:31
@olivaresf @monorkin
Allow JSON requests to send a magic link
88628e6
@olivaresf @monorkin
Allow JSON requests submitting a magic link code
75c7421
@olivaresf @monorkin
Dev: Set magic link as header when JSON request in development
b5f41c1
@olivaresf @monorkin
Return email and users too
f2f1ace
@monorkin
Cleanup & simplify sign in
8db537d
@monorkin
Remove email address and users from magic link response
8865a2a 
The identity endpoint can be used to fetch that information
@monorkin
Add tests for sign in via API
93dc7ae
@monorkin
Return the session cookie
3dca960 
We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication.
@monorkin monorkin force-pushed the mobile/native-log-in branch from f35690b to 3dca960 Compare December 11, 2025 13:31
monorkin and others added 19 commits December 11, 2025 14:35
@monorkin
Add back missing development magic link prompt
742f668
@olivaresf
Merge remote-tracking branch 'origin/main' into mobile/native-log-in
9c27d45 
* origin/main: (67 commits)
  Wrap join code redemption in a lock
  Remove redundant include
  Replace custom code generator with Base32
  Test that you can't go to the magic link screen without an email
  Bundle drift detection and correction (#2101)
  Refactor: Use Rails range syntax in ActivitySpike query (#2080)
  Fix indentation in multi_db.rb initializer (#2082)
  Fix typo in translate property in card columns CSS (#2090)
  Refactor: use idiomatic .last instead of .order(:desc).first (#2098)
  bin/bundle-both (#2100)
  API: Allow updates to `last_active_at` (#2076)
  Move email address into hint line
  Bump fizzy-saas to pickup another staging change.
  Remove the rails credentials from .gitattributes
  Fix typo: minues → minutes
  Fix duplicate word: use use → use
  Add QrCodesController test
  Fix typo in _entropy.html.erb
  Show the email address you are signing in with
  Prohibit access to magic links unless an email address
  ...

# Conflicts:
#	app/controllers/sessions/magic_links_controller.rb
#	app/controllers/sessions_controller.rb
@olivaresf
Fix merge conflict: use authenticate_with magic_link
04bb422
@olivaresf
Simplify session create logic for both html and json
529028d
@olivaresf
Minor cleanup respond_to_valid_code_from
1466055
@olivaresf
Don't call start_new_session_for twice
7feab9f
@olivaresf
Simplify code a bit
a200a80
@olivaresf
Pass a server token when creating a magic link via API
075b2cc
@olivaresf
Add unit tests for the new endpoints
c8fb852
@olivaresf
Change test expectation on single tenant mode account creation
42ecb8c
@olivaresf
Fix creation of new session when responding to valid code
5e6feb3
@olivaresf
Update API test for cross code
53abb90
@olivaresf
Update to always return a pending auth token for JSON responses.
bc2c9b3
@olivaresf
Cleanup session creation
d7f35a6
@olivaresf
Cleanup alert message
c728438
@olivaresf
Rename test to clarify what they're about
d36da0b
@olivaresf
Move magic link api tests to their own files
d171cd2
@olivaresf
Restore sessions_controller test on creating invalid email address
5adf713
@olivaresf
Fix due to unit test when creating with invalid emails
796fa59
olivaresf
olivaresf commented Dec 12, 2025
View reviewed changes
app/controllers/sessions_controller.rb
def new
end

def create
Copy link
Contributor Author

@olivaresf olivaresf Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@monorkin could you lend me a hand here? My gut feeling is that this code could be simplified but I'm not entirely sure how 🤔

@olivaresf olivaresf marked this pull request as ready for review December 12, 2025 20:02
@olivaresf olivaresf changed the title [WIP] Mobile: Native log in Mobile: Native log in Dec 12, 2025
olivaresf and others added 3 commits December 12, 2025 14:06
@olivaresf
Merge remote-tracking branch 'origin/main' into mobile/native-log-in
7c88815 
* origin/main:
  Unused
  Use new FIZZY_GH_TOKEN with limited access
  Use Sec-Fetch-Site exclusively for CSRF protection
  Document Docker image deployment
  saas: Bump queenbee gem for new staging location
  Apply theme preference before body
  Better mini-bubble position for the Maybe column
@monorkin
Simplify auth logic
161d9d7
@monorkin
Split tests by controller or responsibility
bdad307
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@monorkin monorkin monorkin left review comments

@jayohms jayohms Awaiting requested review from jayohms

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@olivaresf @jyroscoped @monorkin