Suggestion: introduce a way to control where the user is redirected to on invalid/expired token
LLCampos opened this issue · 7 comments
Hey :)
Unless I'm missing something this is currently non-trivial to do.
Use case example: If a user clicks an invalid/expired token, I want to send them back to the sign in page, with a flash message letting them know what happened.
I haven't tested this personally but I think you may be able to accomplish this by writing a custom Devise::FailureApp
. Try this approach on Devise's wiki with the example CustomFailure
class: https://github.com/heartcombo/devise/wiki/How-To:-Redirect-to-a-specific-page-when-the-user-can-not-be-authenticated
If you only want to override the redirect for the expired magic link something like this might work
class CustomFailure < Devise::FailureApp
def redirect_url
if warden_message == :magic_link_invalid
your_custom_path
else
super
end
end
# You need to override respond to eliminate recall
def respond
if http_auth?
http_auth
else
redirect
end
end
end
@abevoelker I'm getting a found unpermitted param token
error when clicking on a expired link instead of a nice message. Its not a redirect issue but I don't seem to find the source of the error. Any guess? Using the MessageEncryptorTokenizer
option.
I've solved by adding :token
to devise_parameter_sanitizer.permit(:sign_in, keys: %i[... token])
and adding an empty assign method to the resource class like def token=(token); end
@jvortmann hey sorry you encountered that; something is wrong if you're getting that message. if you're able to share code that reproduces it i can dig in deeper to it
Unfortunately I can't, but there is no client side code or configuration added from the default. We added as alternative to the password login.
The magic_ling_authenticatable
is added after the database_authenticatable
like so:
devise :confirmable,
:database_authenticatable,
:magic_link_authenticatable,
And the route to create send the magic link is like:
post 'passwordless-login', to: 'devise/passwordless/sessions#create'
The sending work just fine but if we let the link expire and try to access it, we got the error above unless we add the :token
to the devise_parameter_sanitizer.permit(:sign_in, keys: %i[... token])
in a before_action
. This happen as the login failed and the redirect happen to the default config (root_url) which in this case is the login form (rename to /login
).
I see no code in the gem that edits the devise_parameter_sanitizer.permit(:sign_in,...
and we are using the default devise session controller with no changes.
(Copying and pasting this to all open issues/PRs:)
Hey all, per #64 I unfortunately won't have much time for the foreseeable future to maintain devise-passwordless to fix the open bugs and work on new features. I'm not abandoning this project, but due to some life issues it's just at the bottom of my priority list for now.
Anyone who wants to step up and be a maintainer to shepherd the project forward would be welcomed! I just ask that you've opened a PR, or written an issue, or can otherwise demonstrate some familiarity/competence with the project. You can reply to #64 or message me privately (through email or socials since GitHub doesn't have DMs) if interested. Thank you ✌️