studio-engine 0.5.3 → 0.5.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a8a6751151b77737dbf25bd04a59d9ad3f801ec8f66c214dc5a97ef5f006b1f6
-  data.tar.gz: f0283ba8e4e38b8e2375b563b6f93917c3ffbc3a0880353c62ec2c5f9441b6f4
+  metadata.gz: bf5f392cf1242e7e541db8ceb7d4ad1865ef2f71f3c787e582de4ac51fc6f836
+  data.tar.gz: 5498dc5d35fbe69c589ba197f3d6fadacbe2d30e93da8b226f0a7d5309ad5ec5
 SHA512:
-  metadata.gz: a911d76518bba342d65e2e5cb1d32c80f28a484057deb8ea630a2aae34867a530b51f0814abedee21267ff66a03df2c71e4c5610b24248e8cb5174b289f92da5
-  data.tar.gz: '09a3b96acf18c3cd876463445eb02f704b25292f048006be18c44aeaffe2e9e152d1f42977bad66cde5834c87a0eda05489ebbf1b53cdb8c7ab6ca1f5a1d3d7b'
+  metadata.gz: 3c38ce794988d826bc9f91ad47786f314ea94dfebdfb42164741ffe70379dfb912d3073ac74f61f96a2814157fdcb651293c6d5d3ea9ce9927567d982c153120
+  data.tar.gz: 6046671a635cef22c25af3231d3e562d258ab0fa45ab568d2255d2c734c44d3e27950acd49ead0bda282b17075def27a6ba6c8e35df14807b6df4e2575890d3c

data/CHANGELOG.md

@@ -6,6 +6,12 @@ The format is [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). This pro
 
 No entries yet.
 
+## v0.5.4 (2026-06-14)
+
+### Changed
+- Engine magic links are now scanner-safe: emailed links land on an inert GET confirmation page, and the token is consumed only by the CSRF-protected POST from that page.
+- Added the shared `magic_link_consume_path` route helper for consumer apps using engine-drawn auth routes.
+
 ## v0.5.3 (2026-06-14)
 
 ### Added

data/README.md

@@ -11,7 +11,7 @@ Shared Rails engine for McRitchie apps. Provides authentication, error handling,
 gem "studio-engine", "~> 0.5"
 ```
 
-Then `bundle install`. The current release is **v0.5.2**; see [`CHANGELOG.md`](./CHANGELOG.md) for the history.
+Then `bundle install`. The current release is **v0.5.4**; see [`CHANGELOG.md`](./CHANGELOG.md) for the history.
 
 > Published to RubyGems as of v0.4.0 (2026-05-17). New installs should use the RubyGems form, which the consumer Rails apps (`mcritchie-studio`, `turf-monster`) already use.
 
@@ -62,7 +62,7 @@ Rails.application.routes.draw do
 end
 ```
 
-This draws the enabled auth routes (`/login`, `/signup`, `/logout`, magic-link routes, Solana routes), OAuth callbacks, optional SSO routes, `/error_logs`, and `/admin/theme`.
+This draws the enabled auth routes (`/login`, `/signup`, `/logout`, magic-link request/confirm/consume routes, Solana routes), OAuth callbacks, optional SSO routes, `/error_logs`, and `/admin/theme`. Magic-link emails point at the inert GET confirmation route; the single-use token is consumed only by the CSRF-protected POST to `magic_link_consume_path`.
 
 ## Overriding Views
 

data/app/controllers/magic_links_controller.rb

@@ -1,7 +1,8 @@
 # Unified create-or-login email magic link (the passwordless email path).
 #
 #   POST /magic_link        — request a link (email [, return_to])
-#   GET  /magic_link/:token — consume it: log in OR create the account
+#   GET  /magic_link/:token — "Confirm sign-in" interstitial (does NOT consume)
+#   POST /magic_link/:token — consume it: log in OR create the account
 #
 # create-or-login: clicking the link IS proof of email ownership, so an email
 # that collides with a Google/wallet-only account that was never email-verified
@@ -14,6 +15,7 @@
 # sign_in_existing / sign_up_new building blocks.
 class MagicLinksController < ApplicationController
   skip_before_action :require_authentication
+  layout false, only: :confirm
 
   # Respond uniformly for any well-formed email. Under create-or-login every
   # address is "valid" (it logs in or signs up), so there is nothing to
@@ -30,13 +32,22 @@ class MagicLinksController < ApplicationController
     end
   end
 
+  # GET /magic_link/:token is deliberately inert. Email link scanners and link
+  # preview clients frequently prefetch emailed URLs with GET/HEAD; if GET burned
+  # the token, the human's first real click could already be invalid. The page
+  # renders a CSRF-protected form that a browser auto-POSTs to #consume.
+  def confirm
+    # strict-origin strips the token-bearing path from subresource Referer
+    # headers while preserving a usable Origin header for Rails' CSRF origin
+    # check on the consume POST.
+    response.set_header("Referrer-Policy", "strict-origin")
+    @token = params[:token]
+  end
+
+  # POST /magic_link/:token is the authoritative consume. This is the only place
+  # the single-use token is burned.
   def consume
-    # Keep the token out of Referer headers on the consume page's subresource
-    # loads. Single-use + short TTL is the primary defence; this closes the
-    # passive-leak gap. NOTE: aggressive email link-scanners (Outlook SafeLinks,
-    # Mimecast) may pre-fetch the link and burn the single-use token before the
-    # human clicks — a known magic-link tradeoff; documented for support.
-    response.set_header("Referrer-Policy", "no-referrer")
+    response.set_header("Referrer-Policy", "strict-origin")
     result = MagicLink.consume(params[:token])
     user = User.find_by(email: result.email)
     user ? sign_in_existing(user, result) : sign_up_new(result)

data/app/views/magic_links/confirm.html.erb

@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <%= csrf_meta_tags %>
+    <title>Signing you in - <%= Studio.app_name %></title>
+    <style>
+      @keyframes magic-spin { to { transform: rotate(360deg); } }
+
+      * { box-sizing: border-box; }
+
+      body {
+        margin: 0;
+        min-height: 100vh;
+        display: grid;
+        place-items: center;
+        color: #f8fafc;
+        background: <%= Studio.theme_dark %>;
+        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+      }
+
+      main { width: min(100% - 32px, 420px); text-align: center; }
+
+      .magic-spinner {
+        width: 88px;
+        height: 88px;
+        margin: 0 auto;
+        border-radius: 9999px;
+        border: 8px solid rgba(255, 255, 255, 0.14);
+        border-top-color: <%= Studio.theme_success %>;
+        animation: magic-spin 0.8s linear infinite;
+      }
+
+      .magic-fallback {
+        display: none;
+        margin-top: 2rem;
+        color: rgba(248, 250, 252, 0.8);
+      }
+
+      .magic-fallback p { margin: 0 0 1rem; font-size: 15px; }
+
+      .magic-submit {
+        display: inline-block;
+        max-width: 100%;
+        padding: 14px 34px;
+        border: 0;
+        border-radius: 8px;
+        color: #ffffff;
+        background: <%= Studio.theme_success %>;
+        font: inherit;
+        font-size: 16px;
+        font-weight: 700;
+        cursor: pointer;
+      }
+    </style>
+  </head>
+  <body>
+    <main>
+      <div class="magic-spinner" role="status" aria-label="Signing you in"></div>
+
+      <div id="magic-fallback" class="magic-fallback">
+        <p>Taking longer than expected?</p>
+        <%= button_to magic_link_consume_path(token: @token),
+              method: :post,
+              form: { id: "magic-consume-form", data: { turbo: "false" } },
+              class: "magic-submit" do %>
+          Sign in to <%= Studio.app_name %>
+        <% end %>
+      </div>
+    </main>
+
+    <noscript>
+      <style>
+        #magic-fallback { display: block !important; }
+        .magic-spinner { display: none; }
+      </style>
+    </noscript>
+
+    <script>
+      (function () {
+        var form = document.getElementById("magic-consume-form");
+        if (form && !form.dataset.autoSubmitted) {
+          form.dataset.autoSubmitted = "1";
+          if (typeof form.requestSubmit === "function") form.requestSubmit();
+          else form.submit();
+        }
+
+        setTimeout(function () {
+          var fallback = document.getElementById("magic-fallback");
+          if (fallback) fallback.style.display = "block";
+        }, 4000);
+      })();
+    </script>
+  </body>
+</html>

data/lib/studio/version.rb

@@ -1,3 +1,3 @@
 module Studio
-  VERSION = "0.5.3"
+  VERSION = "0.5.4"
 end

data/lib/studio.rb

@@ -159,12 +159,16 @@ module Studio
       get  "auth/failure", to: "omniauth_callbacks#failure"
 
       # Passwordless email (magic link). Helpers: magic_link_request_path (POST
-      # to request a link) + magic_link_path(token) / magic_link_url(token:)
-      # (the emailed consume link). The token is a URL-safe MessageVerifier blob
-      # but the constraint guards against a stray "." segment.
+      # to request a link), magic_link_path(token) / magic_link_url(token:)
+      # for the emailed GET confirmation page, and magic_link_consume_path(token)
+      # for the scanner-safe POST consume. The token is a URL-safe
+      # MessageVerifier blob but the constraint guards against a stray "."
+      # segment.
       if Studio.draw_auth_routes && Studio.auth_method?(:magic_link)
-        post "magic_link",        to: "magic_links#create",  as: :magic_link_request
-        get  "magic_link/:token", to: "magic_links#consume", as: :magic_link,
+        post "magic_link",        to: "magic_links#create",   as: :magic_link_request
+        get  "magic_link/:token", to: "magic_links#confirm",  as: :magic_link,
+             constraints: { token: %r{[^/]+} }
+        post "magic_link/:token", to: "magic_links#consume",  as: :magic_link_consume,
              constraints: { token: %r{[^/]+} }
       end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: studio-engine
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.5.4
 platform: ruby
 authors:
 - Alex McRitchie
@@ -184,6 +184,7 @@ files:
 - app/views/layouts/_navbar.html.erb
 - app/views/layouts/studio/_flash.html.erb
 - app/views/layouts/studio/_head.html.erb
+- app/views/magic_links/confirm.html.erb
 - app/views/navbar/show.html.erb
 - app/views/registrations/new.html.erb
 - app/views/schema/index.html.erb