Additional user verification each time a user accesses the system

[KlausEB]

Greetings everyone!

We are using Rodauth on a project and we have an additional need for additional user validation. Situation:

1. There is an Customer model and a related Client model (one client can have many employees).
2. If a Customer has been deactivated, it is required to block all its employees from using the system

At the login level I managed to implement it via before_login hook:

rodauth_main.rb

before_login do
  if rails_account.employee.blank? && rails_account.client&.inactive?
    throw_error_status(403, "email", no_matching_login_message)
  end
end

And additionally prohibited through ApplicationPolicy similar users to have access to the corresponding resources

def require_customer
deny! unless account&.customer&.client&.active? || account&.admin?
end

However, then the following problem occurs: If a customer is logged in and then a related client is deactivated, the user just sees an error window without the ability to log out and log in with another account. I've tried other hooks (before_rodauth, around_rodauth and others) but they don't work in my case.

I also tried doing something via rodauth_app.rb, but that didn't work either - and apparently the body of the before_login block goes through first, no logout logic happens (even if you write it directly in before_login, but I think that's how it's designed), and then the rodauth_app is executed, where my code loops around

rodauth_app.rb

if rodauth.logged_in? && rodauth.rails_account.employee.blank? && rodauth.rails_account.client&.inactive?
  rodauth.logout
end

At the end, I tried solving this via after_login instead of before_login by calling logout directly:

after_login do
  if rails_account.employee.blank? && rails_account.client&.inactive?
    throw_error_status(403, "email", no_matching_login_message)
    logout
  end
end

And it worked! However, I was wondering if there isn't a better solution for this? Thanks in advance

[janko]

One possible solution would be to use the active_sessions feature, and upon client deactivation delete all active sessions belonging to employee accounts. That will log out existing users on next visit, and the before_login hook can keep them from logging in.

Regarding manual code in your Rodauth app's route block, not sure what the problem was there exactly, but my guess is that loading rails_account before logout is problematic, because logout doesn't clear rails_account, so the user might appear logged in unless logged_in? or authenticated? is checked (or require_{account,authentication,login} is called).

Yeah, using after_login hook to cancel the login is probably not ideal. For one, since you're throwing an error first, the logout won't get called, so I think you'll need to reverse the order. I also initially thought this is also wouldn't work well with the audit_logging feature, but a successful login will not get recorded if after_login throws. Overall, I'm not sure what advantage the after_login hook provides over the before_login version.

[KlausEB]

Thank you for your reply. However, I'm not sure how active_sessions is supposed to work here. As I understand it, the problem is in my already_logged_in { redirect rails_routes.root_path } - it's the reason why it's cycling and not getting the rodauth.logout in RodauthApp to work properly. Even if I delete all sessions (by the way, maybe some additional configuration is required so that a user without sessions cannot be in the system at all?), this endless loop generates them again

If I remove already_logged_in, and put before_login instead of after_login, everything works within my old solution. But I need already_logged_in, and I can't remove it from the project

[janko]

It seems I don't have a full picture of your Rodauth configuration. It would help a lot if you shared a minimal Rails app that reproduces the issue.

That being said, if things are working for you, then it's probably not necessary to change things.