Skip rendering reset password request from on invalid login attempt for internal requests

jeremyevans / rodauth

Ruby's Most Advanced Authentication Framework

http://rodauth.jeremyevans.net

MIT License

1.67k stars 95 forks source link

Skip rendering reset password request from on invalid login attempt for internal requests #303

Closed janko closed 1 year ago

janko commented 1 year ago

The internal request auth subclass doesn't have real request context, and doesn't execute Roda's route block, so it might not have what is necessary to render view templates.

I encountered this when using Rodauth as a library, where the reset password request form failed to render due to missing session handler, raised when Rodauth attempted to generate the CSRF tag.

janko commented 1 year ago

I was wondering whether it would make sense for the internal_request mixin to fail when any view attempts to be rendered, so that the developer gets a more explicit error message.

jeremyevans commented 1 year ago

Thanks for the patch. I'll test and merge shortly.

In terms of failing when any views are rendered, you can try that out and see if it breaks any specs. The mailing uses render and not view, so at least that would have to be allowed.