OmniAuth login and registration for Rodauth authentication framework
MIT License
Added the omniauth_create_account?
configuration method for disabling automatic account creation.
For example, if you have OmniAuth links on both login and registration pages, and you want the OmniAuth login on the login page to only log into existing accounts, you could configure this so that it's controlled via a query parameter:
# somewhere in your view template:
rodauth.omniauth_request_path(:google, action: "login") #=> "/auth/github?action=login"
# in your Rodauth configuration:
omniauth_create_account? { omniauth_params["action"] != "login" }
Unverified accounts are now automatically verified when logging in via OmniAuth if the external email matches the email of the local account. This can be disabled by adding omniauth_verify_account? false
to your Rodauth configuration.
When making a GET request to the request path when only POST requests are allowed, a 404 response is now returned instead of an error.
Calling omniauth_*
methods that read data from Rack env hash will now return nil
instead of raising a KeyError
when the omniauth.<key>
item isn't present in the env hash.
NoMethodError: undefined method
destroy' for nil` when login is trying to clear the session in JWT mode without session middleware (https://github.com/janko/rodauth-omniauth/discussions/13).Added account_from_omniauth
auth method for changing how an existing account is found for a new external identity. By default, it searches for accounts with the same email as the external identity.
account_from_omniauth do
account_table_ds.first(email: omniauth_email) # roughly the default implementation
end
# or
account_from_omniauth {} # new identity = new account
Calling OmniAuth endpoints via JWT requests should now work correctly when using something other than Roda sessions plugin, such as Rack::Session::Cookie
or Rails session.
When attempting to log into an account that's unverified, an error reason is now set to :unverified_account
when returning the error response.
When there is an OmniAuth authentication failure, an error reason is now set to :omniauth_failure
when returning the error response.
When a user is logged in via OmniAuth, and they've authenticated via password through the confirm_password feature, the session is no longer considered multifactor authenticated.
This should be a safer default, considering that people still reuse passwords, so a database breach might allow the attacker to log into both accounts using the same credentials, and the developer might not be aware they've allowed using OmniAuth login as 2nd factor in the first place.