diff --git a/app/controllers/passwordless/sessions_controller.rb b/app/controllers/passwordless/sessions_controller.rb index ce4face..c5cdc14 100644 --- a/app/controllers/passwordless/sessions_controller.rb +++ b/app/controllers/passwordless/sessions_controller.rb @@ -213,9 +213,11 @@ def handle_resource_not_found end def call_after_session_save - return if @skip_after_session_save_callback - - if Passwordless.config.after_session_save.arity == 2 + if @skip_after_session_save_callback + if Passwordless.config.send_paranoid_email + Mailer.unknown_address(@session).deliver_now + end + elsif Passwordless.config.after_session_save.arity == 2 Passwordless.config.after_session_save.call(@session, request) else Passwordless.config.after_session_save.call(@session) diff --git a/app/mailers/passwordless/mailer.rb b/app/mailers/passwordless/mailer.rb index 8cace33..d4af857 100644 --- a/app/mailers/passwordless/mailer.rb +++ b/app/mailers/passwordless/mailer.rb @@ -29,5 +29,18 @@ def sign_in(session, token = nil, url_options = {}) subject: I18n.t("passwordless.mailer.sign_in.subject") ) end + + # sends an email when user attempts to login with unknown address + # + # @param session [Session] An instance of Passwordless::Session + def unknown_address(session) + email_field = session.authenticatable.class.passwordless_email_field + @email = session.authenticatable.send(email_field) + + mail( + to: @email, + subject: I18n.t("passwordless.mailer.unknown_address.subject") + ) + end end end diff --git a/app/views/passwordless/mailer/unknown_address.text.erb b/app/views/passwordless/mailer/unknown_address.text.erb new file mode 100644 index 0000000..7201149 --- /dev/null +++ b/app/views/passwordless/mailer/unknown_address.text.erb @@ -0,0 +1 @@ +<%= t("passwordless.mailer.unknown_address.body", email: @email ) %> diff --git a/config/locales/en.yml b/config/locales/en.yml index 091ee62..1a98f8a 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -28,3 +28,13 @@ en: Alternatively you can use this link to sign in directly: %{magic_link} + unknown_address: + subject: "Not Registered" + body: |- + We noticed a login attempt using your email, %{email}. + + If you're seeing this email, that means that you don't currently have an + account associated with this email. + Maybe you have a different email that's associated with your account? + + If this wasn't you, disregard this email. diff --git a/lib/passwordless/config.rb b/lib/passwordless/config.rb index e992e0c..93e367a 100644 --- a/lib/passwordless/config.rb +++ b/lib/passwordless/config.rb @@ -50,6 +50,7 @@ class Configuration ) option :paranoid, default: false + option :send_paranoid_email, default: false def initialize set_defaults! diff --git a/test/controllers/passwordless/sessions_controller_test.rb b/test/controllers/passwordless/sessions_controller_test.rb index b0ac305..09d7fd5 100644 --- a/test/controllers/passwordless/sessions_controller_test.rb +++ b/test/controllers/passwordless/sessions_controller_test.rb @@ -107,6 +107,22 @@ class << User assert_equal "/users/sign_in/#{Session.last!.identifier}", path end + test("POST /:passwordless_for/sign_in -> SUCCESS / not found, + paranoid enabled, send paranoid email") do + with_config(paranoid: true, send_paranoid_email: true) do + post("/users/sign_in", params: {passwordless: {email: "a@a"}}) + end + + assert_equal 1, ActionMailer::Base.deliveries.size + assert_nil Session.last.authenticatable + + assert_equal 302, status + + follow_redirect! + assert_equal "/users/sign_in/#{Session.last!.identifier}", path + end + + test("POST /:passwordless_for/sign_in -> ERROR / not found and paranoid disabled") do post("/users/sign_in", params: {passwordless: {email: "A@a"}})