Rodauth-rails - bug?

[pozzos]

Dear Janko.

First up, thanks for making some great software!

I hope I'm not wasting your time with this, but it seems to me the
default behaviour is somewhat expected. I have setup rodauth rails
using the --jwt option. In my application there is a react frontend
that calls to /create-account and this triggers an email with a
verification link. This verification link doesn't work, as the
only_json? true option blocks it. However, even turning this off
doesn't work, as it then transpires you need a Roda sessions plugin.

Am I just being stupid? It seems to me that even in json mode calls to
/verify-account should accept browser requests, as otherwise email
verification becomes very impractical (you'd have to have a link to
some page that then itself fires off some json, which seems very
inconvenient). Is there an easy way to change this behaviour whilst
keeping the rest of the Rails app in api mode? Sessions ought to be
unnecessary as we just want to trigger the validation.

Any advice would be really gratefully received.

Best regards,
Sebastian

[janko]

First of all, in a SPA + API setup, email links should be routed by the frontend app, because the browser should be receiving HTML pages. Since the API is serving JSON responses, and doesn't do any redirects (at least Rodauth doesn't in JSON mode), it cannot be the one email links point to.

In Rodauth, account verification happens in a POST request, the GET route simply renders the form in HTML mode. In JSON-only mode, GET routes are disabled, because what would they return? It would be incorrect for a GET request to perform account verification, because GET requests shouldn't be modifying resources. Furthermore, depending on your configuration, setting the password might be part of the account verification step.

With this in mind, the correct flow would be for the email link to point to the frontend app, then have the frontend app issue an AJAX request to the POST /verify-account route, providing the token. You can see an example of this JSON request in the demo app README.

[pozzos]

Dear Janko,

Thank you very much for taking the time to reply - I see what you mean. I had hoped to do a browser redirect, but if this is not possible I shall do as you suggest and handle the AJAX in my SPA.

Best regards,
Sebastian