Skip to content

[WIP] Mobile: Native log in #1941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
olivaresf wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

[WIP] Mobile: Native log in #1941

olivaresf wants to merge 8 commits into from
+74 −9

Conversation

@olivaresf
Copy link
Contributor

@olivaresf olivaresf commented Dec 4, 2025
edited
Loading

Based on #1766, working my way to making a fully native experience possible:

  • Allow magic links to be sent via API request
  • Allow code to be submitted via API request
  • Authenticate web views given an access token
  • Clean up
  • Unit tests for each endpoint
  • Security audit for access token -> web view

@olivaresf olivaresf requested review from jayohms and monorkin December 4, 2025 23:11
@jyroscoped
Copy link

jyroscoped commented Dec 4, 2025

  • I would recommend extracting the rate_limit_exceeded_message string into a constant or locale file, as it's duplicated across both controllers and might need to be updated in multiple places.
  • The safe navigation operator usage in Sessions::SessionsController#create with identity&.send_magic_link could mask issues—consider whether silently failing to send a magic link when the identity doesn't exist is the intended behavior, or if you should handle this case more explicitly.
  • In respond_to_valid_code_from, creating an access token and rendering user data in the JSON response assumes the API client should receive sensitive information immediately after authentication. I would recommend documenting the security implications or reconsidering what data gets exposed in this endpoint.
  • The rate_limit_exceeded method is now duplicated between Sessions::MagicLinksController and SessionsController. I would recommend extracting this into a shared concern or module to reduce duplication.
  • In Sessions::SessionsController#create, the HTML format still calls serve_development_magic_link(magic_link) even when magic_link is nil (if identity doesn't exist). This could cause unexpected behavior—I would recommend adding a guard clause or handling the nil case explicitly.
  • The X-Magic-Link-Code header is being set in the JSON response only in development, which is fine for development workflows, but I would recommend documenting this behavior clearly to prevent accidental exposure in production.

1 similar comment
@jyroscoped
Copy link

jyroscoped commented Dec 4, 2025

  • I would recommend extracting the rate_limit_exceeded_message string into a constant or locale file, as it's duplicated across both controllers and might need to be updated in multiple places.
  • The safe navigation operator usage in Sessions::SessionsController#create with identity&.send_magic_link could mask issues—consider whether silently failing to send a magic link when the identity doesn't exist is the intended behavior, or if you should handle this case more explicitly.
  • In respond_to_valid_code_from, creating an access token and rendering user data in the JSON response assumes the API client should receive sensitive information immediately after authentication. I would recommend documenting the security implications or reconsidering what data gets exposed in this endpoint.
  • The rate_limit_exceeded method is now duplicated between Sessions::MagicLinksController and SessionsController. I would recommend extracting this into a shared concern or module to reduce duplication.
  • In Sessions::SessionsController#create, the HTML format still calls serve_development_magic_link(magic_link) even when magic_link is nil (if identity doesn't exist). This could cause unexpected behavior—I would recommend adding a guard clause or handling the nil case explicitly.
  • The X-Magic-Link-Code header is being set in the JSON response only in development, which is fine for development workflows, but I would recommend documenting this behavior clearly to prevent accidental exposure in production.

@olivaresf
Copy link
Contributor Author

olivaresf commented Dec 5, 2025

Thanks for your feedback! This is a WIP and isn't ready yet 😄

@monorkin monorkin force-pushed the mobile/native-log-in branch 2 times, most recently from aaa225a to b74d8b0 Compare December 5, 2025 10:25
@monorkin monorkin force-pushed the mobile/native-log-in branch 3 times, most recently from 5dbbcaa to 4c62455 Compare December 5, 2025 10:59
@monorkin
Copy link
Contributor

monorkin commented Dec 5, 2025

@olivaresf seems like you don't have your email address added to Github so it doesn't show proper attribution on your commits.
(After rebasing, they look like I made them, but that should fix itself after you add your email address)

monorkin
monorkin reviewed Dec 5, 2025
View reviewed changes
@monorkin
Copy link
Contributor

monorkin commented Dec 5, 2025
edited
Loading

I pushed a few small changes and added comments to point them out.

@olivaresf olivaresf force-pushed the mobile/native-log-in branch from 9462b97 to af9c1b6 Compare December 5, 2025 21:24
@monorkin monorkin force-pushed the mobile/native-log-in branch from ad62957 to 558f9ca Compare December 9, 2025 14:14
@monorkin monorkin force-pushed the basic-api branch 2 times, most recently from 3f17434 to 79e77a3 Compare December 10, 2025 08:24
olivaresf and others added 8 commits December 10, 2025 09:31
@olivaresf @monorkin
Allow JSON requests to send a magic link
9590107
@olivaresf @monorkin
Allow JSON requests submitting a magic link code
7526558
@olivaresf @monorkin
Dev: Set magic link as header when JSON request in development
97875a9
@olivaresf @monorkin
Return email and users too
fa0d91c
@monorkin
Cleanup & simplify sign in
3971ed9
@monorkin
Remove email address and users from magic link response
657fcbe 
The identity endpoint can be used to fetch that information
@monorkin
Add tests for sign in via API
5f636c0
@monorkin
Return the session cookie
f35690b 
We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication.
@monorkin monorkin force-pushed the mobile/native-log-in branch from 558f9ca to f35690b Compare December 10, 2025 08:38
Base automatically changed from basic-api to main December 10, 2025 14:44
@olivaresf olivaresf force-pushed the mobile/native-log-in branch from 1b15f41 to f35690b Compare December 10, 2025 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@monorkin monorkin monorkin left review comments

@jayohms jayohms Awaiting requested review from jayohms

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@olivaresf @jyroscoped @monorkin