dmails, emails: refactor to use Rails signed_id.

Refactor email verification links and Dmail share links to use the new Rails signed_id mechanism, rather than our own handrolled mechanism. For Dmail share links, we have to override some Rails internal methods so that our old links still work. For email verification links, this will invalidate existing links, but this isn't a huge deal since these links are short-lived anyway. https://api.rubyonrails.org/classes/ActiveRecord/SignedId.html https://api.rubyonrails.org/classes/ActiveRecord/SignedId/ClassMethods.html
2021-01-17 00:24:02 -06:00
parent 6ca007ee1f
commit 6671711784
7 changed files with 23 additions and 28 deletions
--- a/app/controllers/emails_controller.rb
+++ b/app/controllers/emails_controller.rb
@@ -48,8 +48,7 @@ class EmailsController < ApplicationController

    if @email_address.blank?
      redirect_to edit_user_email_path(@user)
-    elsif params[:email_verification_key].present?
-      authorize @email_address
+    elsif params[:email_verification_key].present? && @email_address == EmailAddress.find_signed!(params[:email_verification_key], purpose: "verify")
      @email_address.verify!
      flash[:notice] = "Email address verified"
      redirect_to @email_address.user