Awesome

Rodauth Rails Demo

Example app that demonstrates how to integrate Rodauth authentication framework into Rails using the rodauth-rails gem.

It implements the following authentication features:

• creating an account with verification and a grace period
• password login or passwordless login (email, passkey) with remembering
• reset and change password
• change email with verification
• password confirmation dialog before sensitive actions
• multifactor authentication (TOTP, SMS codes, recovery codes, passkeys)
• social login with rodauth-omniauth
• tracking active sessions
• close account

It uses custom views generated by rodauth-rails. It also includes example system tests for all authentication features.

Admin account

The app has an additional /admin section that can be accessed by a separate admin account type. Authentication for admin accounts is defined in RodauthAdmin, which inherits shared configuration from RodauthBase, and adds additional behaviour:

• setting up MFA is required
• account is locked on 4th invalid login attempt
• password complexity requirements
• disallow common or breached passwords
• account creation from the console (disabled in UI)
• closed accounts are deleted from the database

Login for admin and main account types are separated, and account records are differentiated by the accounts.type column.

JSON API

The JWT feature is enabled, providing JSON API access to Rodauth endpoints using JWT.

Here is an example JSON request for account creation, which includes the email and the custom name parameter:

POST /create-account
Content-Type: application/json

{ "email": "user@example.com", "name": "User", "password": "secret123" }

200 OK
Content-Type: application/json
Authorization: eyJhbGciOiJIUzI1NiJ9.eyJhY2NvdW50X2lkIjo2NywidW52Z...

{ "success": "An email has recently been sent to you with a link to verify your account" }

Here is an example JSON request for account verification, which includes the token from the verification email link and the password for the account:

POST /verify-account
Content-Type: application/json

{ "key": "81_nG-P3iYpWc3Y4-A74J821ssYHctlOhChUCPfsDh96Q4" }

200 OK
Content-Type: application/json
Authorization: eyJhbGciOiJIUzI1NiJ9.eyJhY2NvdW50X2lkIjo4MiwiYXV0a...

{ "success": "Your account has been verified" }