Add Unknown Address mailer to default mailers

Currently, there is no configuration option to allow for sending an email when the resource is not found when the user opts into the "paranoid" option. With this addition, users will have a special email sent to them when their email is not found in the database
mikker · Dakota-Schramm · May 3, 2024 · May 3, 2024 · May 3, 2024 · May 3, 2024
commit 6f442d46691beee4da19e2c99b6fbd7c1f821af4
diff --git a/app/controllers/passwordless/sessions_controller.rb b/app/controllers/passwordless/sessions_controller.rb
@@ -213,9 +213,9 @@ def handle_resource_not_found
  end
 
  def call_after_session_save
- return if @skip_after_session_save_callback
-
- if Passwordless.config.after_session_save.arity == 2
+ if @skip_after_session_save_callback
+ Passwordless.config.after_session_paranoid.call(@session, request)
+ elsif Passwordless.config.after_session_save.arity == 2
  Passwordless.config.after_session_save.call(@session, request)
  else
  Passwordless.config.after_session_save.call(@session)

diff --git a/app/mailers/passwordless/mailer.rb b/app/mailers/passwordless/mailer.rb
@@ -29,5 +29,18 @@ def sign_in(session, token = nil, url_options = {})
  subject: I18n.t("passwordless.mailer.sign_in.subject")
  )
  end
+
+ # sends an email when user attempts to login with unknown address
+ #
+ # @param session [Session] An instance of Passwordless::Session
+ def unknown_address(session)
+ email_field = session.authenticatable.class.passwordless_email_field
+ @email = session.authenticatable.send(email_field)
+
+ mail(
+ to: @email,
+ subject: I18n.t("passwordless.mailer.unknown_address.subject")
+ )
+ end
  end
 end
diff --git a/app/views/passwordless/mailer/unknown_address.text.erb b/app/views/passwordless/mailer/unknown_address.text.erb
@@ -0,0 +1 @@
+<%= t("passwordless.mailer.unknown_address.body", email: @email ) %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -28,3 +28,13 @@ en:
 
  Alternatively you can use this link to sign in directly:
  %{magic_link}
+ unknown_address:
+ subject: "Not Registered"
+ body: |-
+ We noticed a login attempt using your email, %{email}.
+
+ If you're seeing this email, that means that you don't currently have an
+ account associated with this email for Chuck.
+ Maybe you have a different account that's associated with your Chuck user?
+
+ If this wasn't you, disregard this email.
diff --git a/lib/passwordless/config.rb b/lib/passwordless/config.rb
@@ -48,6 +48,12 @@ class Configuration
  Mailer.sign_in(session, session.token).deliver_now
  end
  )
+ option(
+ :after_session_paranoid,
+ default: lambda do |session, _request|
+ Mailer.unknown_address(session).deliver_now
+ end
+ )
 
  option :paranoid, default: false
 

diff --git a/test/controllers/passwordless/sessions_controller_test.rb b/test/controllers/passwordless/sessions_controller_test.rb
@@ -98,9 +98,9 @@ class << User
  post("/users/sign_in", params: {passwordless: {email: "a@a"}})
  end
 
+ assert_equal 1, ActionMailer::Base.deliveries.size
  assert_equal 302, status
 
- assert_equal 0, ActionMailer::Base.deliveries.size
  assert_nil Session.last.authenticatable
 
  follow_redirect!