mikker · Dakota-Schramm · May 3, 2024 · May 3, 2024 · May 3, 2024 · May 3, 2024
diff --git a/app/controllers/passwordless/sessions_controller.rb b/app/controllers/passwordless/sessions_controller.rb
@@ -213,9 +213,11 @@ def handle_resource_not_found
  end
 
  def call_after_session_save
- return if @skip_after_session_save_callback
-
- if Passwordless.config.after_session_save.arity == 2
+ if @skip_after_session_save_callback
+ if Passwordless.config.send_paranoid_email
+ Mailer.unknown_address(@session).deliver_now
+ end
+ elsif Passwordless.config.after_session_save.arity == 2
  Passwordless.config.after_session_save.call(@session, request)
  else
  Passwordless.config.after_session_save.call(@session)

diff --git a/app/mailers/passwordless/mailer.rb b/app/mailers/passwordless/mailer.rb
@@ -29,5 +29,18 @@ def sign_in(session, token = nil, url_options = {})
  subject: I18n.t("passwordless.mailer.sign_in.subject")
  )
  end
+
+ # sends an email when user attempts to login with unknown address
+ #
+ # @param session [Session] An instance of Passwordless::Session
+ def unknown_address(session)
+ email_field = session.authenticatable.class.passwordless_email_field
+ @email = session.authenticatable.send(email_field)
+
+ mail(
+ to: @email,
+ subject: I18n.t("passwordless.mailer.unknown_address.subject")
+ )
+ end
  end
 end
diff --git a/app/views/passwordless/mailer/unknown_address.text.erb b/app/views/passwordless/mailer/unknown_address.text.erb
@@ -0,0 +1 @@
+<%= t("passwordless.mailer.unknown_address.body", email: @email ) %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -28,3 +28,13 @@ en:
 
  Alternatively you can use this link to sign in directly:
  %{magic_link}
+ unknown_address:
+ subject: "Not Registered"
+ body: |-
+ We noticed a login attempt using your email, %{email}.
+
+ If you're seeing this email, that means that you don't currently have an
+ account associated with this email.
+ Maybe you have a different email that's associated with your account?
+
+ If this wasn't you, disregard this email.
diff --git a/lib/passwordless/config.rb b/lib/passwordless/config.rb
@@ -50,6 +50,7 @@ class Configuration
  )
 
  option :paranoid, default: false
+ option :send_paranoid_email, default: false
 
  def initialize
  set_defaults!

diff --git a/test/controllers/passwordless/sessions_controller_test.rb b/test/controllers/passwordless/sessions_controller_test.rb
@@ -107,6 +107,22 @@ class << User
  assert_equal "/users/sign_in/#{Session.last!.identifier}", path
  end
 
+ test("POST /:passwordless_for/sign_in -> SUCCESS / not found,
+ paranoid enabled, send paranoid email") do
+ with_config(paranoid: true, send_paranoid_email: true) do
+ post("/users/sign_in", params: {passwordless: {email: "a@a"}})
+ end
+
+ assert_equal 1, ActionMailer::Base.deliveries.size
+ assert_nil Session.last.authenticatable
+
+ assert_equal 302, status
+
+ follow_redirect!
+ assert_equal "/users/sign_in/#{Session.last!.identifier}", path
+ end
+
+
  test("POST /:passwordless_for/sign_in -> ERROR / not found and paranoid disabled") do
  post("/users/sign_in", params: {passwordless: {email: "A@a"}})