I need a pointer here… Some docs talk about denying a user that hasn’t verified their email address yet…
If you want to do something other than immediately let a user log in if their username/password is correct, you can add additional logic in
login.handler()
. For example, if a user’s credentials are correct, but they haven’t verified their email address yet, you can throw an error in this function with the appropriate message and then display it to the user. If the login should proceed, simply return the user that was passed as the only argument to the function: Authentication | RedwoodJS Docs
The code doesn’t seem to be part of the dbAuth…
I can add a verified boolean to the User record, but what is next?
I can send a welcome email, and include a verify link – I could generate a GUID for the round-trip and store that in the database
But how can I add the route to the dbAuth? I don’t understand where the routing in ./the api is – I’m thinking I can then go from there to logged in [home]
And how can I return a message to display that won’t be treated as an Error ?
Thanks!
Al;
import { nanoid } from 'nanoid'
const nodemailer = require('nodemailer');
import { db } from 'src/lib/db'
import { DbAuthHandler } from '@redwoodjs/api'
import { logger } from 'src/lib/logger'
export const handler = async (event, context) => {
const forgotPasswordOptions = {
// handler() is invoked after verifying that a user was found with the given
// username. This is where you can send the user an email with a link to
// reset their password. With the default dbAuth routes and field names, the
// URL to reset the password will be:
//
// https://example.com/reset-password?resetToken=${user.resetToken}
//
// Whatever is returned from this function will be returned from
// the `forgotPassword()` function that is destructured from `useAuth()`
// You could use this return value to, for example, show the email
// address in a toast message so the user will know it worked and where
// to look for the email.
handler: (user) => {
logger.debug(`sending email via: ${process.env.SMTP_HOST}`)
let transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST,
port: 2525,
auth: {
user: process.env.SMTP_USER,
pass: process.env.SMTP_PASS
}
})
const resetLink = `${process.env.REDIRECT_URL}/reset-password?resetToken=${user.resetToken}`
const message = {
from: process.env.AUTH_EMAIL_FROM,
to: user.email,
subject: "Reset Forgotten Password",
html: `Here is a link reset your password. It will expire after 4hrs. <a href="${resetLink}">Reset my Password</>`
}
transporter.sendMail(message, (err, info) => {
if (err) {
console.log(err)
} else {
console.log(info);
}
})
return user
},
// How long the resetToken is valid for, in seconds (default is 24 hours)
expires: 60 * 60 * 4,
errors: {
// for security reasons you may want to be vague here rather than expose
// the fact that the email address wasn't found (prevents fishing for
// valid email addresses)
usernameNotFound: 'Username not found',
// if the user somehow gets around client validation
usernameRequired: 'Username is required',
},
}
const loginOptions = {
// handler() is called after finding the user that matches the
// username/password provided at login, but before actually considering them
// logged in. The `user` argument will be the user in the database that
// matched the username/password.
//
// If you want to allow this user to log in simply return the user.
//
// If you want to prevent someone logging in for another reason (maybe they
// didn't validate their email yet), throw an error and it will be returned
// by the `logIn()` function from `useAuth()` in the form of:
// `{ message: 'Error message' }`
handler: (user) => {
if (!user.verified) {
throw new Error('Please validate your email first!')
} else {
return user
}
},
errors: {
usernameOrPasswordMissing: 'Both username and password are required',
usernameNotFound: 'Username ${username} not found',
// For security reasons you may want to make this the same as the
// usernameNotFound error so that a malicious user can't use the error
// to narrow down if it's the username or password that's incorrect
incorrectPassword: 'Incorrect password for ${username}',
},
// How long a user will remain logged in, in seconds
expires: 60 * 60 * 24 * 365 * 10,
}
const resetPasswordOptions = {
// handler() is invoked after the password has been successfully updated in
// the database. Returning anything truthy will automatically logs the user
// in. Return `false` otherwise, and in the Reset Password page redirect the
// user to the login page.
handler: (user) => {
return user
},
// If `false` then the new password MUST be different than the current one
allowReusedPassword: true,
errors: {
// the resetToken is valid, but expired
resetTokenExpired: 'resetToken is expired',
// no user was found with the given resetToken
resetTokenInvalid: 'resetToken is invalid',
// the resetToken was not present in the URL
resetTokenRequired: 'resetToken is required',
// new password is the same as the old password (apparently they did not forget it)
reusedPassword: 'Must choose a new password',
},
}
const signupOptions = {
// Whatever you want to happen to your data on new user signup. Redwood will
// check for duplicate usernames before calling this handler. At a minimum
// you need to save the `username`, `hashedPassword` and `salt` to your
// user table. `userAttributes` contains any additional object members that
// were included in the object given to the `signUp()` function you got
// from `useAuth()`.
//
// If you want the user to be immediately logged in, return the user that
// was created.
//
// If this handler throws an error, it will be returned by the `signUp()`
// function in the form of: `{ error: 'Error message' }`.
//
// If this returns anything else, it will be returned by the
// `signUp()` function in the form of: `{ message: 'String here' }`.
handler: async ({ username, hashedPassword, salt, userAttributes }) => {
logger.debug(`sending email via: ${process.env.SMTP_HOST}`)
let transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST,
port: 2525,
auth: {
user: process.env.SMTP_USER,
pass: process.env.SMTP_PASS
}
})
const verifyLink = `${process.env.REDIRECT_URL}/verify-email?verifyToken=${user.verifyToken}`
const message = {
from: process.env.AUTH_EMAIL_FROM,
to: username,
subject: "Reset Forgotten Password",
html: `Welcome, please click this link to <a href="${verifyLink}">Verify Your Email Address</>`
}
transporter.sendMail(message, (err, info) => {
if (err) {
console.log(err)
} else {
console.log(info);
}
})
await db.user.create({
data: {
email: username,
hashedPassword: hashedPassword,
salt: salt,
// name: userAttributes.name,
id: nanoid()
},
})
return { message: 'Thank you for creating your account. Please go to your email and click the Verify Your Email Address link before logging in.'}
},
errors: {
// `field` will be either "username" or "password"
fieldMissing: '${field} is required',
usernameTaken: 'Username `${username}` already in use',
},
}
const authHandler = new DbAuthHandler(event, context, {
// Provide prisma db client
db: db,
// The name of the property you'd call on `db` to access your user table.
// ie. if your Prisma model is named `User` this value would be `user`, as in `db.user`
authModelAccessor: 'user',
// A map of what dbAuth calls a field to what your database calls it.
// `id` is whatever column you use to uniquely identify a user (probably
// something like `id` or `userId` or even `email`)
authFields: {
id: 'id',
username: 'email',
hashedPassword: 'hashedPassword',
salt: 'salt',
resetToken: 'resetToken',
resetTokenExpiresAt: 'resetTokenExpiresAt',
},
forgotPassword: forgotPasswordOptions,
login: loginOptions,
resetPassword: resetPasswordOptions,
signup: signupOptions,
})
return await authHandler.invoke()
}