Closed janko closed 3 years ago
I've been working on this on-and-off for about a month now, but I'm still not sure whether it would make sense to merge it. It might be dangerous to bypass Rodauth hooks like this; for example, audit logs wouldn't be created when creating accounts this way.
For now I'll leave it in the pull request state, so that others know this direction exists, and are able to provide feedback.
I would like to keep the password attribute and associations, but I've decided to remove the validations.
I think it's useful to be able to easily create accounts in the development console or in tests, but having validations would encourage people to build forms around the account model, which is discouraged because it doesn't execute hooks and other things. The most common use case for this is an admin that can perform authentication operations on behalf of other users, but for this the upcoming internal_request feature should be used.
The associations are also really convenient for querying, and I think it's obvious that modifying them directly is at own risk.
Currently, creating an account with a password programmatically is a bit cumbersome, mostly due to bcrypt-hashing, especially when the password is stored in a separate table. This adds friction in development and in tests, and also for anyone wanting to implement simple user creation by admins. Devise, Sorcery, and has_secure_password all provide this level of convenience.
Additionally, there are cases where it's useful to be able to directly query associated tables (e.g. retrieving all accounts that have MFA enabled), and it might not be obvious how to declare associations, e.g:
To address this friction, we add a
Rodauth::Rails::Model
mixin that can be be included into the account model:It provides password attribute and validations (works for both password hash column and password hash table):
And login validations:
It also defines associations based on the Rodauth configuration:
Alternative configurations are supported as well: