Example app that demonstrates how to integrate Rodauth authentication framework into Rails using the rodauth-rails gem.
It implements the following authentication features:
- creating an account with verification and a grace period
- password login or passwordless login (email, passkey)
- reset and change password
- change email with verification
- password confirmation dialog before sensitive actions
- multifactor authentication (TOTP, SMS codes, recovery codes, passkeys)
- social login with rodauth-omniauth
- long-lived trackable active sessions
- close account
It uses custom views generated by rodauth-rails. It also includes example system tests for all authentication features.
The app has an additional /admin
section that can be accessed by a separate
admin account type. Authentication for admin accounts is defined in
RodauthAdmin
, which inherits shared configuration from RodauthBase
, and
adds additional behaviour:
- setting up MFA is required
- account is locked on 4th invalid login attempt
- password complexity requirements
- disallow common or breached passwords
- account creation from the console (disabled in UI)
- closed accounts are deleted from the database
Login for admin and main account types are separated, and account records are
differentiated by the accounts.type
column.
The JWT feature is enabled, providing JSON API access to Rodauth endpoints using JWT.
Here is an example JSON request for account creation, which includes the email and the custom name parameter:
POST /create-account
Content-Type: application/json
{ "email": "[email protected]", "name": "User", "password": "secret123" }
200 OK
Content-Type: application/json
Authorization: eyJhbGciOiJIUzI1NiJ9.eyJhY2NvdW50X2lkIjo2NywidW52Z...
{ "success": "An email has recently been sent to you with a link to verify your account" }
Here is an example JSON request for account verification, which includes the token from the verification email link and the password for the account:
POST /verify-account
Content-Type: application/json
{ "key": "81_nG-P3iYpWc3Y4-A74J821ssYHctlOhChUCPfsDh96Q4" }
200 OK
Content-Type: application/json
Authorization: eyJhbGciOiJIUzI1NiJ9.eyJhY2NvdW50X2lkIjo4MiwiYXV0a...
{ "success": "Your account has been verified" }