rails-securitylisted

# Rails Security Patterns ## 1. Passwordless Authentication (Magic Links) Password-based auth brings weak passwords, reuse, and credential stuffing. Magic links instead: user enters email, receives a short-lived code, enters it to authenticate. ```ruby # app/models/magic_link.rb class MagicLink < ApplicationRecord CODE_LENGTH = 6 EXPIRATION_TIME = 15.minutes belongs_to :identity enum :purpose, %w[ sign_in sign_up ], prefix: :for, default: :sign_in scope :active, -> { where(expires_at: Time.current...) } scope :stale, -> { where(expires_at: ..Time.current) } before_validation :generate_code, on: :create before_validation :set_expiration, on: :create validates :code, uniqueness: true, presence: true class << self def consume(code) active.find_by(code: Code.sanitize(code))&.consume end def cleanup stale.delete_all end end def consume destroy # codes are single-use self end private def generate_code self.code ||= loop do candidate = Code.generate(CODE_LENGTH) break candidate unless self.class.exists?(code: candidate) end end def set_expiration self.expires_at ||= EXPIRATION_TIME.from_now end end ``` ```ruby # app/models/identity.rb def send_magic_link(**attributes) magic_links.create!(attributes).tap do |magic_link| MagicLinkMailer.sign_in_instructions(magic_link).deliver_later end end # app/controllers/sessions/magic_links_controller.rb def c