Magic link auth

app/models/consultee.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Consultee < ApplicationRecord
+  include BopsCore::MagicLinkable
+
   attribute :selected, :boolean, default: false
 
   belongs_to :consultation

engines/bops_consultees/app/controllers/bops_consultees/dashboards_controller.rb

@@ -2,6 +2,8 @@
 
 module BopsConsultees
   class DashboardsController < ApplicationController
+    include BopsCore::MagicLinkAuthenticatable
+
     def show
       respond_to do |format|
         format.html

engines/bops_consultees/config/routes.rb

@@ -4,4 +4,8 @@
   root to: redirect("dashboard")
 
   resource :dashboard, only: %i[show]
+
+  get "magic_link", to: "dashboards#magic_link", as: :magic_link
+
+  devise_for :consultees, class_name: "Consultee"
 end

engines/bops_core/app/controllers/concerns/bops_core/magic_link_authenticatable.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module BopsCore
+  module MagicLinkAuthenticatable
+    extend ActiveSupport::Concern
+
+    SGID_FOR = "magic_link"
+
+    included do
+      rescue_from ActionController::ParameterMissing do |exception|
+        render plain: "Not Found", status: :not_found
+      end
+    end
+
+    def magic_link
+      resource = GlobalID::Locator.locate_signed(sgid, for: SGID_FOR)
+
+      if resource.nil?
+        redirect_failed
+        return
+      end
+
+      sign_in(resource)
+      redirect_to after_magic_link_path_for(resource), notice: "Welcome!"
+    end
+
+    private
+
+    def sgid
+      params.require(:sgid)
+    end
+
+    def redirect_failed
+      render plain: "Forbidden", status: :forbidden
+    end
+
+    def after_magic_link_path_for(resource)
+      if resource.is_a?(Consultee)
+        bops_consultees.dashboard_path
+      else
+        main_app.root_path
+      end
+    end
+  end
+end

engines/bops_core/app/mailers/concerns/bops_core/magic_link_mailer.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module BopsCore
+  class MagicLinkMailer < ApplicationMailer
+    def magic_link_mail(resource:, subdomain:, subject: "Your magic link")
+      @resource = resource
+      @magic_link = resource.magic_link
+      @subdomain = subdomain
+
+      mail(
+        to: resource.email_address,
+        subject:
+      )
+    end
+  end
+end

engines/bops_core/app/models/concerns/bops_core/magic_linkable.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module BopsCore
+  module MagicLinkable
+    extend ActiveSupport::Concern
+    include GlobalID::Identification
+
+    def magic_link(expires_in: 1.day, for: "magic_link")
+      to_sgid(expires_in:, for:).to_s
+    end
+  end
+end

engines/bops_core/app/views/bops_core/magic_link_mailer/magic_link_mail.text.erb

@@ -0,0 +1,7 @@
+Hello <%= @resource.name %>
+
+Click the link below to access your dashboard:
+
+<%= link_to "Access Dashboard", bops_consultees.magic_link_url(sgid: @magic_link, subdomain: @subdomain) %>
+
+This link will expire in 24 hours.

engines/bops_core/config/routes.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
 
 BopsCore::Engine.routes.draw do
+  get "magic_link", to: "magic_links#show", as: :magic_link
 end