Make 'source' header optional on shopkeeper sign-in

dadachi · claude · dadachi · commit 57d0e72a6728 · 2026-04-30T06:49:22.000+09:00
Reverts the earlier "require source header" form. Anti-mass-signup is now handled at the right layer by the sign-up rate_limit introduced in PR #50, so the sign-in header has no security job left. current_platform is informational metadata; rejecting sign-ins on missing metadata is too aggressive — it breaks non-mobile callers (curl, CI, integration tools, future web client) without a real benefit. Skip the current_platform update when the header is blank: the existing stored value is preserved (instead of being nuked to nil by the original buggy code path). Drop the missing_source locale key. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/app/controllers/shopkeeper_auth/sessions_controller.rb b/app/controllers/shopkeeper_auth/sessions_controller.rb
@@ -1,13 +1,11 @@
 class ShopkeeperAuth::SessionsController < DeviseTokenAuth::SessionsController
   def create
-    source = request.headers["source"]
-    if source.blank?
-      return render json: {code: 401, error_message: I18n.t("devise_token_auth.sessions.missing_source")}, status: :unauthorized
-    end
-
     super
     return if @resource.blank?
 
+    source = request.headers["source"]
+    return if source.blank?
+
     @resource.current_platform = source
     @resource.save!(validate: false)
   end
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -88,7 +88,6 @@ en:
       not_confirmed: "A confirmation email was sent to your account at '%{email}'. You must follow the instructions in the email before your account can be activated."
       bad_credentials: "Invalid email or password. Please try again."
       user_not_found: "User was not found or was not signed in."
-      missing_source: "Missing 'source' header."
     passwords:
       missing_email: "You must provide an email address."
       missing_redirect_url: "Missing redirect URL."
diff --git a/test/controllers/shopkeeper_auth/sessions_controller_test.rb b/test/controllers/shopkeeper_auth/sessions_controller_test.rb
@@ -2,7 +2,7 @@
 
 class ShopkeeperAuth::SessionsControllerTest < ActionDispatch::IntegrationTest
   test "returns unauthorized if shopkeeper not valid" do
-    post shopkeeper_session_url, headers: {source: "ios"}
+    post shopkeeper_session_url
     assert_response :unauthorized
     assert response.parsed_body["error_message"]
     assert_equal I18n.t("devise_token_auth.sessions.bad_credentials"), response.parsed_body["error_message"]
@@ -42,16 +42,15 @@ class ShopkeeperAuth::SessionsControllerTest < ActionDispatch::IntegrationTest
     assert_equal "android", shopkeeper.reload.current_platform
   end
 
-  test "sign-in without source header is rejected with 401" do
+  test "successful sign-in without source header preserves the existing current_platform" do
     shopkeeper = shopkeepers(:one)
     shopkeeper.create_default_account
     shopkeeper.update_column(:current_platform, "ios")
 
     post shopkeeper_session_url,
       params: {email: shopkeeper.email, password: "password"}
 
-    assert_response :unauthorized
-    assert_equal I18n.t("devise_token_auth.sessions.missing_source"), response.parsed_body["error_message"]
+    assert_response :success
     assert_equal "ios", shopkeeper.reload.current_platform
   end
 end
