Add passwordless magic-link sign-up and sign-in (#38)

Let users sign up and sign in with email only (no password) via a 30-minute
magic link, alongside the existing password flow. Passwordless accounts can
add a password later from a new account settings page.

- Make password_digest nullable; User uses has_secure_password
  validations: false with its own length/confirmation validations and a
  :magic_link token tied to password_salt (auto-invalidates on password change)
- MagicLinksController + MagicLinkMailer for requesting/consuming sign-in links,
  with honeypot, rate limiting, org-membership gating, and non-disclosure parity
- Users::PasswordsController settings page to add/change a password
- Dev-only "Mailer previews" nav link

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: kcdragon

app/controllers/magic_links_controller.rb

@@ -0,0 +1,42 @@
+class MagicLinksController < ApplicationController
+  allow_unauthenticated_access only: %i[ new create show ]
+  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_magic_link_path, alert: "Try again later." }
+
+  def new
+  end
+
+  def create
+    # Honeypot: real users never fill this hidden field, bots do
+    if params[:nickname].present?
+      redirect_to new_session_path, notice: generic_notice
+      return
+    end
+
+    user = User.find_by(email_address: params[:email_address])
+
+    # Only send to members of this organization
+    if user&.member_of?(Current.organization)
+      MagicLinkMailer.sign_in_link(user, Current.organization).deliver_later
+    end
+
+    redirect_to new_session_path, notice: generic_notice
+  end
+
+  def show
+    user = User.find_by_token_for(:magic_link, params[:token])
+
+    if user&.member_of?(Current.organization)
+      user.confirm! unless user.confirmed?
+      start_new_session_for user
+      redirect_to after_authentication_url, notice: "You're signed in."
+    else
+      redirect_to new_session_path, alert: "Sign-in link is invalid or has expired."
+    end
+  end
+
+  private
+
+  def generic_notice
+    "If an account exists for that email, we've sent a sign-in link."
+  end
+end

app/controllers/registrations_controller.rb

@@ -10,7 +10,7 @@ def create
     # Honeypot: real users never fill this hidden field, bots do. Silently
     # pretend success so spammers can't tell their submission was rejected.
     if params[:nickname].present?
-      redirect_to new_session_path, notice: "Check your email to confirm your account before signing in."
+      redirect_to new_session_path, notice: confirmation_notice
       return
     end
 
@@ -29,15 +29,25 @@ def create
         Current.organization.organization_memberships.create!(user: @user)
       end
 
-      RegistrationMailer.confirmation(@user, Current.organization).deliver_later
-      redirect_to new_session_path, notice: "Check your email to confirm your account before signing in."
+      if @user.password_set?
+        RegistrationMailer.confirmation(@user, Current.organization).deliver_later
+        redirect_to new_session_path, notice: confirmation_notice
+      else
+        # Passwordless signup: send a magic link that confirms and signs them in.
+        MagicLinkMailer.sign_in_link(@user, Current.organization).deliver_later
+        redirect_to new_session_path, notice: "Check your email for a sign-in link."
+      end
     else
       render :new, status: :unprocessable_entity
     end
   end
 
   private
 
+  def confirmation_notice
+    "Check your email to confirm your account before signing in."
+  end
+
   def registration_params
     params.require(:user).permit(:email_address, :password, :password_confirmation)
   end

app/controllers/users/passwords_controller.rb

@@ -0,0 +1,29 @@
+class Users::PasswordsController < ApplicationController
+  def show
+    @user = Current.user
+  end
+
+  def update
+    @user = Current.user
+
+    # Users who already have a password must confirm it before changing it.
+    # Passwordless users are adding their first password, so none is required.
+    if @user.password_set? && !@user.authenticate(params[:current_password].to_s)
+      @user.errors.add(:current_password, "is incorrect")
+      render :show, status: :unprocessable_entity
+      return
+    end
+
+    if @user.update(password_params)
+      redirect_to users_password_path, notice: "Password saved."
+    else
+      render :show, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def password_params
+    params.require(:user).permit(:password, :password_confirmation)
+  end
+end

app/mailers/magic_link_mailer.rb

@@ -0,0 +1,7 @@
+class MagicLinkMailer < ApplicationMailer
+  def sign_in_link(user, organization)
+    @user = user
+    @organization = organization
+    mail subject: "Your sign-in link", to: user.email_address
+  end
+end

app/models/user.rb

@@ -1,5 +1,8 @@
 class User < ApplicationRecord
-  has_secure_password
+  # validations: false so a password isn't required on create — passwordless
+  # (magic-link) accounts have none. The presence-on-create check is dropped;
+  # the length/confirmation validations below replace the rest.
+  has_secure_password validations: false
   has_many :sessions, dependent: :destroy
   has_many :organization_memberships, dependent: :destroy
   has_many :organizations, through: :organization_memberships
@@ -9,15 +12,26 @@ class User < ApplicationRecord
     confirmed_at
   end
 
+  # Magic-link sign-in token. Tied to the password salt so the link
+  # auto-invalidates the moment a password is set or changed.
+  generates_token_for :magic_link, expires_in: 30.minutes do
+    password_salt&.last(10)
+  end
+
   normalizes :email_address, with: ->(e) { e.strip.downcase }
 
   validates :email_address, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
-  validates :password, length: { minimum: 8 }, allow_nil: true
+  validates :password, length: { minimum: 8, maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED }, allow_nil: true
+  validates :password, confirmation: true, allow_blank: true
 
   def member_of?(organization)
     organization && organizations.exists?(organization.id)
   end
 
+  def password_set?
+    password_digest.present?
+  end
+
   def confirmed?
     confirmed_at.present?
   end

app/views/layouts/application.html.erb

@@ -31,6 +31,18 @@
     <nav class="sticky top-0 z-50 flex h-13 items-center border-b border-line bg-surface px-6 sm:px-9">
       <%= link_to (Current.organization&.name || "Community Foundations"), root_path,
             class: "font-serif text-lg tracking-tight text-ink hover:text-ink" %>
+
+      <% if Rails.env.development? || authenticated? %>
+        <div class="ml-auto flex items-center gap-4 text-sm">
+          <% if Rails.env.development? %>
+            <%= link_to "Mailer previews", "/rails/mailers", class: "text-ink-soft hover:text-ink" %>
+          <% end %>
+          <% if authenticated? %>
+            <%= link_to "Settings", users_password_path, class: "text-ink-soft hover:text-ink" %>
+            <%= button_to "Sign out", session_path, method: :delete, class: "text-ink-soft hover:text-ink cursor-pointer" %>
+          <% end %>
+        </div>
+      <% end %>
     </nav>
 
     <%= render "shared/flash" %>

app/views/magic_link_mailer/sign_in_link.html.erb

@@ -0,0 +1,6 @@
+<p>
+  Sign in by visiting
+  <%= link_to "this sign-in page", magic_link_url(token: @user.generate_token_for(:magic_link), subdomain: @organization.subdomain) %>.
+
+  This link will expire in 30 minutes.
+</p>

app/views/magic_link_mailer/sign_in_link.text.erb

@@ -0,0 +1,4 @@
+Sign in by visiting
+<%= magic_link_url(token: @user.generate_token_for(:magic_link), subdomain: @organization.subdomain) %>
+
+This link will expire in 30 minutes.

app/views/magic_links/new.html.erb

@@ -0,0 +1,29 @@
+<div class="mx-auto max-w-md w-full px-4 py-16">
+  <div class="rounded-2xl border border-line bg-surface p-8 shadow-sm">
+    <h1 class="font-serif font-medium text-3xl tracking-tight text-ink">Email me a sign-in link</h1>
+
+    <p class="mt-3 text-sm text-ink-soft">We'll email you a link that signs you in — no password needed.</p>
+
+    <%= form_with url: magic_link_path, class: "contents" do |form| %>
+      <%# Honeypot: hidden from real users, but bots tend to fill every field. Submissions with this set are silently dropped. %>
+      <div class="absolute left-[-9999px]" aria-hidden="true">
+        <%= label_tag :nickname, "Leave this field blank" %>
+        <%= text_field_tag :nickname, nil, tabindex: -1, autocomplete: "off" %>
+      </div>
+
+      <div class="my-5">
+        <%= form.email_field :email_address, required: true, autofocus: true, autocomplete: "username", placeholder: "Enter your email address", value: params[:email_address], class: "block shadow-sm rounded-md border border-line bg-surface px-3 py-2 mt-2 w-full focus:border-accent focus:outline-none focus:ring-2 focus:ring-accent/10" %>
+      </div>
+
+      <div class="mt-6 sm:flex sm:items-center sm:gap-4">
+        <div class="inline">
+          <%= form.submit "Email me a sign-in link", class: "w-full sm:w-auto text-center rounded-md px-3.5 py-2.5 bg-accent hover:bg-[#444] text-white inline-block font-medium cursor-pointer transition" %>
+        </div>
+
+        <div class="mt-4 text-sm text-ink-soft sm:mt-0">
+          <%= link_to "Sign in with a password", new_session_path, class: "text-ink hover:text-brand underline" %>
+        </div>
+      </div>
+    <% end %>
+  </div>
+</div>

app/views/registrations/new.html.erb

@@ -24,11 +24,12 @@
       </div>
 
       <div class="my-5">
-        <%= form.password_field :password, required: true, autocomplete: "new-password", minlength: 8, placeholder: "Enter your password (min. 8 characters)", maxlength: 72, class: "block shadow-sm rounded-md border border-line bg-surface px-3 py-2 mt-2 w-full focus:border-accent focus:outline-none focus:ring-2 focus:ring-accent/10" %>
+        <%= form.password_field :password, autocomplete: "new-password", minlength: 8, placeholder: "Choose a password (min. 8 characters)", maxlength: 72, class: "block shadow-sm rounded-md border border-line bg-surface px-3 py-2 mt-2 w-full focus:border-accent focus:outline-none focus:ring-2 focus:ring-accent/10" %>
+        <p class="mt-2 text-sm text-ink-soft">Optional — leave blank to sign in with a link emailed to you instead.</p>
       </div>
 
       <div class="my-5">
-        <%= form.password_field :password_confirmation, required: true, autocomplete: "new-password", placeholder: "Confirm your password", maxlength: 72, class: "block shadow-sm rounded-md border border-line bg-surface px-3 py-2 mt-2 w-full focus:border-accent focus:outline-none focus:ring-2 focus:ring-accent/10" %>
+        <%= form.password_field :password_confirmation, autocomplete: "new-password", placeholder: "Confirm your password", maxlength: 72, class: "block shadow-sm rounded-md border border-line bg-surface px-3 py-2 mt-2 w-full focus:border-accent focus:outline-none focus:ring-2 focus:ring-accent/10" %>
       </div>
 
       <div class="mt-6 sm:flex sm:items-center sm:gap-4">