Add :magic_link_authenticatable module for passwordless sign-in#5854
Open
jaykava wants to merge 1 commit into
Open
Add :magic_link_authenticatable module for passwordless sign-in#5854jaykava wants to merge 1 commit into
jaykava wants to merge 1 commit into
Conversation
Introduces a new opt-in Devise module that sends single-use, expiring magic links by email. Includes rate limiting, generators, views, mailer, routes, and tests for Active Record and Mongoid.
Author
|
@carlosantoniodasilva & @tegon Could you please check, review, and approve this CI workflow run? |
Author
|
@augustocbx, @abevoelker @excid3 @p8 You guys can also review this feature. I've already tested it on my machine, and it works as expected. Please let me know if you notice any issues. Thanks |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #5401
This implements the feature discussed in #5401, aligned with the approach from devise-passwordless by @abevoelker (module
:magic_link_authenticatablename and token-based email flow with rate limit)Summary
Adds a new opt-in
:magic_link_authenticatableDevise module that lets users sign in through a single-use, expiring magic link sent by email - without typing a password.This follows the same patterns as existing token-based flows (e.g.
:recoverable): only a hashed token is stored, links expire aftermagic_link_within(20 minutes by default), and each link is consumed on first successful sign-in.What's included
MagicLinkAuthenticatable): token generation/validation, rate limiting per accountMagicLinksController) with routesmagic_link_keys,magic_link_within,magic_link_request_limit,magic_link_request_period- global or per-model viadevisecallOpt-in / backwards compatibility
Apps must explicitly add
:magic_link_authenticatableto their model and run a migration for the required columns. No behavior changes for existing apps.Rate limiting
By default, at most 10 magic links per account per hour (
magic_link_request_limit/magic_link_request_period). Can be disabled per model withmagic_link_request_limit: nil.Test plan
bundle exec ruby -Ilib:test test/models/magic_link_authenticatable_test.rb test/integration/magic_link_authenticatable_test.rb test/mailers/magic_link_instructions_test.rb- 33 runs, 0 failuresbundle exec rake test/users/magic_link/new, sign in via emailed linkmagic_link_request_limit