Suggestion: introduce a way to control where the user is redirected to on invalid/expired token

[LLCampos]

Hey :)

Unless I'm missing something this is currently non-trivial to do.

Use case example: If a user clicks an invalid/expired token, I want to send them back to the sign in page, with a flash message letting them know what happened.

[abevoelker]

I haven't tested this personally but I think you may be able to accomplish this by writing a custom Devise::FailureApp. Try this approach on Devise's wiki with the example CustomFailure class: https://github.com/heartcombo/devise/wiki/How-To:-Redirect-to-a-specific-page-when-the-user-can-not-be-authenticated

[abevoelker]

If you only want to override the redirect for the expired magic link something like this might work

class CustomFailure < Devise::FailureApp
  def redirect_url
    if warden_message == :magic_link_invalid
      your_custom_path
    else
      super
    end
  end

  # You need to override respond to eliminate recall
  def respond
    if http_auth?
      http_auth
    else
      redirect
    end
  end
end

[jvortmann]

@abevoelker I'm getting a found unpermitted param token error when clicking on a expired link instead of a nice message. Its not a redirect issue but I don't seem to find the source of the error. Any guess? Using the MessageEncryptorTokenizer option.

[jvortmann]

I've solved by adding :token to devise_parameter_sanitizer.permit(:sign_in, keys: %i[... token]) and adding an empty assign method to the resource class like def token=(token); end

[abevoelker]

@jvortmann hey sorry you encountered that; something is wrong if you're getting that message. if you're able to share code that reproduces it i can dig in deeper to it

[jvortmann]

Unfortunately I can't, but there is no client side code or configuration added from the default. We added as alternative to the password login.
The magic_ling_authenticatable is added after the database_authenticatable like so:

  devise :confirmable,
         :database_authenticatable,
         :magic_link_authenticatable,

And the route to create send the magic link is like:

    post 'passwordless-login', to: 'devise/passwordless/sessions#create'

The sending work just fine but if we let the link expire and try to access it, we got the error above unless we add the :token to the devise_parameter_sanitizer.permit(:sign_in, keys: %i[... token]) in a before_action. This happen as the login failed and the redirect happen to the default config (root_url) which in this case is the login form (rename to /login).

I see no code in the gem that edits the devise_parameter_sanitizer.permit(:sign_in,... and we are using the default devise session controller with no changes.

[abevoelker]

(Copying and pasting this to all open issues/PRs:)

Hey all, per #64 I unfortunately won't have much time for the foreseeable future to maintain devise-passwordless to fix the open bugs and work on new features. I'm not abandoning this project, but due to some life issues it's just at the bottom of my priority list for now.

Anyone who wants to step up and be a maintainer to shepherd the project forward would be welcomed! I just ask that you've opened a PR, or written an issue, or can otherwise demonstrate some familiarity/competence with the project. You can reply to #64 or message me privately (through email or socials since GitHub doesn't have DMs) if interested. Thank you ✌️