Unable to set up rodauth rails to work properly in Rails 8 existent app

[Tripple-A]

I've had a really tough time setting up rodauth rails to work in an existent Rails 8 app. We already have an existent users table and have set up rodauth to continue with this table. It has an email field and a password digest field from bcrypt.

We also have an existent route that takes care of user creation within a transaction along with other entities. We would like to generate a verification key after user creation and then send an email to the user after to verify their account. We haven't found any documentation to point us at how to do this within a job after user creation, as we're not accessing rodauth from a controller.

We can call RodauthApp.rodauth.verify_account(account_login: "email@example.com"), but we can't find docs that point us to the specific methods we need to both generate the key and send the email. RodauthApp.rodauth.methods generates a couple but we can't go through them all one after the other till we find the appropriate one.

Secondly when we try to create a user via the /create_account endpoint, we get the error - passwords do not match despite us providing the email and password in the request.

Request

{
    "email": "email@a.com",
    "password": "password",
}

Response
{
    "field-error": [
        "password",
        "passwords do not match"
    ],
    "error": "There was an error creating your account"
}

When we try to login a user, we get the success message that the user has been logged in but with no token provided, even though the documentation says with jwt enabled, the token will be sent back. We did set the secret in the main.rb file as jwt_secret ENV.fetch('RODAUTH_JWT_SECRET') { Rails.application.secret_key_base }

{
    "token": null,
    "success": "You have been logged in"
}

How can we figure out the methods available to rodauth in order access it within a job and send the emails as well as generate the verification keys? How can we get a token back from the login request?

These are just the basics for authentication we're trying to set up and we haven't even begun the advanced stuff. We would appreciate it if anyone points us to accurate docs to help implement rodauth or point out what we're missing.

Thank you

[janko]

Commented in #347 (comment), but let's continue the discussion here.

[Tripple-A]

Thanks for your response @janko !

Did you try using the create_account internal request method, which automatically sends a verification email after user creation?

Yeah! I finally resorted to using this even though it requires setting the other fields manually in a before_create hook and adding the created_at and updated_fields so that the record can be saved via Active Record. Is there any less manual way of doing this?

Rodauth returns the JWT in the Authorization header, I don't think it also returns a token field in the JSON response (unless you've enabled jet_refresh and set jwt_access_token_key "token").

Alright! Can you please point me to the documentation that addresses refreshing the tokens or setting them? Even if we leave them in the header without sending a token back, we'd like them to expire after a given time for security purposes. I tried enabling jwt_refresh but got errors about missing tables. So, I'm guessing we'd need to generate tables for the newly enabled feature.

[janko]

I finally resorted to using this even though it requires setting the other fields manually in a before_create hook and adding the created_at and updated_fields so that the record can be saved via Active Record. Is there any less manual way of doing this?

You could pass custom params to the internal request method:

before_create_account do
  if internal_request?
    account[:foo] = param("foo")
    # ...
  end
end

RodauthApp.rodauth.create_account(..., params: { "foo" => "bar" })

Or you could have the block passed to create_account be evaluated in the before_create_account hook, something like:

before_create_account do
  # ...
  instance_eval(&internal_request_block) if internal_request?
end

RodauthApp.rodauth.create_account(...) do
  account[:foo] = "bar"
  # ...
end

Can you please point me to the documentation that addresses refreshing the tokens or setting them?

The JWT Refresh feature page documents refreshing. Not sure what you mean by setting them, they are automatically set on any JSON request.

Even if we leave them in the header without sending a token back, we'd like them to expire after a given time for security purposes.

I think your best bet is using the jwt_refresh feature. In case you missed it, you can create the tables with rails g rodauth:migration jwt_refresh.

[Tripple-A]

Thanks for the suggestions!

Yeah, what I did try was the first

before_create_account do
  if internal_request?
    account[:foo] = param("foo")
    # ...
  end
end

It requires manually assigning the field values in the before_create_account method using the account[:key] = value, etc. I was hoping there was something less manual, but it’s alright, I can leave it as is.

I’d check the jwt refresh doc and revert on how it goes.

Thank you!

[janko]

You could try:

RodauthApp.rodauth.create_account(..., params: { "attributes" => { foo: "bar", ... } })

before_create_account do
  if internal_request?
    account.merge! raw_param("attributes")
    # ...
  end
end

[Tripple-A]

Tried that, it didn't work. I keep getting the error Error: There was an error creating your account (login_too_short, {"email"=>"invalid login, minimum 3 characters"}) because for some reason, changing the structure of the params hash bypasses the before_create. Really weird behaviour.

[Tripple-A]

Also, @janko , do you have any experience using Rodauth Rails in a Sorbet typed ruby project. Despite generating the rbis, the methods seem not be recognized, and I can't find most of them in the rbi files either.

[janko]

I don't have any experience with Sorbet. I imagine the metaprogramming in Rodauth trips it up.

I was recently considering whether there is a way to generate RDoc documentation for features, but the metaprogramming was an issue there as well.