Skip to content

Add :magic_link_authenticatable module for passwordless sign-in#5854

Open
jaykava wants to merge 1 commit into
heartcombo:mainfrom
jaykava:magic_link_authenticatable
Open

Add :magic_link_authenticatable module for passwordless sign-in#5854
jaykava wants to merge 1 commit into
heartcombo:mainfrom
jaykava:magic_link_authenticatable

Conversation

@jaykava

@jaykava jaykava commented Jul 4, 2026

Copy link
Copy Markdown

Closes #5401

This implements the feature discussed in #5401, aligned with the approach from devise-passwordless by @abevoelker (module :magic_link_authenticatable name and token-based email flow with rate limit)

Summary

Adds a new opt-in :magic_link_authenticatable Devise module that lets users sign in through a single-use, expiring magic link sent by email - without typing a password.

This follows the same patterns as existing token-based flows (e.g. :recoverable): only a hashed token is stored, links expire after magic_link_within (20 minutes by default), and each link is consumed on first successful sign-in.

What's included

  • Model (MagicLinkAuthenticatable): token generation/validation, rate limiting per account
  • Warden strategy and controller (MagicLinksController) with routes
  • Mailer and default views (ERB, simple_form, markerb templates)
  • Generators for Active Record and Mongoid (migration columns, initializer docs)
  • Configuration: magic_link_keys, magic_link_within, magic_link_request_limit, magic_link_request_period - global or per-model via devise call
  • Tests: model, integration, mailer, routes, and mapping coverage

Opt-in / backwards compatibility

Apps must explicitly add :magic_link_authenticatable to their model and run a migration for the required columns. No behavior changes for existing apps.

Rate limiting

By default, at most 10 magic links per account per hour (magic_link_request_limit / magic_link_request_period). Can be disabled per model with magic_link_request_limit: nil.

Test plan

  • bundle exec ruby -Ilib:test test/models/magic_link_authenticatable_test.rb test/integration/magic_link_authenticatable_test.rb test/mailers/magic_link_instructions_test.rb - 33 runs, 0 failures
  • Full test suite: bundle exec rake test
  • Manual: request magic link at /users/magic_link/new, sign in via emailed link
  • Verify expired/used tokens are rejected
  • Verify rate limiting after exceeding magic_link_request_limit

Introduces a new opt-in Devise module that sends single-use, expiring
magic links by email. Includes rate limiting, generators, views,
mailer, routes, and tests for Active Record and Mongoid.
@jaykava

jaykava commented Jul 4, 2026

Copy link
Copy Markdown
Author

@carlosantoniodasilva & @tegon Could you please check, review, and approve this CI workflow run?

@jaykava

jaykava commented Jul 4, 2026

Copy link
Copy Markdown
Author

@augustocbx, @abevoelker @excid3 @p8 You guys can also review this feature. I've already tested it on my machine, and it works as expected. Please let me know if you notice any issues.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

PR proposal: would a magic link / passwordless auth strategy be considered for merge?

1 participant