From https://once.com/writebook

app/controllers/sessions_controller.rb

@@ -0,0 +1,34 @@
+class SessionsController < ApplicationController
+  allow_unauthenticated_access only: %i[ new create ]
+  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { render_rejection :too_many_requests }
+
+  before_action :ensure_user_exists, only: :new
+
+  def new
+  end
+
+  def create
+    if user = User.active.authenticate_by(email_address: params[:email_address], password: params[:password])
+      start_new_session_for user
+      redirect_to post_authenticating_url
+    else
+      render_rejection :unauthorized
+    end
+  end
+
+  def destroy
+    reset_authentication
+
+    redirect_to root_url
+  end
+
+  private
+    def ensure_user_exists
+      redirect_to first_run_url if User.none?
+    end
+
+    def render_rejection(status)
+      flash[:alert] = "Too many requests or unauthorized."
+      render :new, status: status
+    end
+end