jeremyevans
commented
2 years ago Looks good, thanks for working on this.
Closed janko closed 2 years ago
jeremyevans
commented
2 years ago Looks good, thanks for working on this.
janko
commented
2 years ago @jeremyevans I wanted this method to be a drop-in replacement for #require_authentication and #require_login, but I just found one edge case when using verify_account feature without verify_account_grace_period. There we expect an unverified account to be allowed to use the app until the session expires. However, #account_from_session that gets called will only find verified accounts, and thus would immediately logout the user that just created the account (assuming #require_account was called).
jeremyevans
commented
2 years ago verify_account sets create_account_autologin? to false, so I assume this is only a problem if a user sets it to true. In that case, the user needs to choose whether they want to require accounts or whether they want to allow autologin for unverified users when accounts are created.
janko
commented
2 years ago Thanks for merging so promptly 🙂
verify_account sets create_account_autologin? to false, so I assume this is only a problem if a user sets it to true
Oh, right, I thought autologin after account creation stays on by default. OK, since I don't expect turning autologin on will be common, I agree it's a decent trade-off 👍🏻
Follow-up to the discussion in https://github.com/jeremyevans/rodauth/discussions/210
This allows ensuring the account exists in the database before proceeding with the request. This is useful for preventing errors in development when the account record has been manually deleted, or if the account record has been deleted in production for whatever reason, and the performance impact of fetching the account record on each request is acceptable.