Provide a possibility to disable flows in dbAuth completely (#5851)

* Provide a possibility to disable flows in dbAuth completely * Update configuration docs Co-authored-by: Rob Cameron <[email protected]>
redwoodjs · Jul 21, 2022 · b562305 · b562305
1 parent 8884255
commit b562305
Show file tree

Hide file tree

Showing 5 changed files with 468 additions and 106 deletions.
diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md
@@ -107,6 +107,16 @@ If you'd rather create your own, you might want to start from the generated page
 
 Almost all config for dbAuth lives in `api/src/functions/auth.js` in the object you give to the `DbAuthHandler` initialization. The comments above each key will explain what goes where. Here's an overview of the more important options:
 
+### login.enabled
+
+Allow users to call login. Defaults to true. Needs to be explicitly set to false to disable the flow.
+
+```jsx
+login: {
+  enabled: false
+}
+```
+
 ### login.handler()
 
 If you want to do something other than immediately let a user log in if their username/password is correct, you can add additional logic in `login.handler()`. For example, if a user's credentials are correct, but they haven't verified their email address yet, you can throw an error in this function with the appropriate message and then display it to the user. If the login should proceed, simply return the user that was passed as the only argument to the function:
@@ -123,6 +133,16 @@ login: {
 }
 ```
 
+### signup.enabled
+
+Allow users to sign up. Defaults to true. Needs to be explicitly set to false to disable the flow.
+
+```jsx
+signup: {
+  enabled: false
+}
+```
+
 ### signup.handler()
 
 This function should contain the code needed to actually create a user in your database. You will receive a single argument which is an object with all of the fields necessary to create the user (`username`, `hashedPassword` and `salt`) as well as any additional fields you included in your signup form in an object called `userAttributes`:
@@ -167,6 +187,16 @@ const onSubmit = async (data) => {
 }
 ```
 
+### forgotPassword.enabled
+
+Allow users to request a new password via a call to `forgotPassword`. Defaults to true. Needs to be explicitly set to false to disable the flow.
+When disabling this flow you probably want to disable `resetPassword` as well.
+
+```jsx
+forgotPassword: {
+  enabled: false
+}
+```
 ### forgotPassword.handler()
 
 This handler is invoked if a user is found with the username/email that they submitted on the Forgot Password page, and that user will be passed as an argument. Inside this function is where you'll send the user a link to reset their password—via an email is most common. The link will, by default, look like:
@@ -177,6 +207,17 @@ If you changed the path to the Reset Password page in your routes you'll need to
 
     https://example.com/reset-password?resetKey=${user.resetKey}
 
+### resetPassword.enabled
+
+Allow users to reset their password via a code from a call to `forgotPassword`. Defaults to true. Needs to be explicitly set to false to disable the flow.
+When disabling this flow you probably want to disable `forgotPassword` as well.
+
+```jsx
+resetPassword: {
+  enabled: false
+}
+```
+
 ### resetPassword.handler()
 
 This handler is invoked after the password has been successfully changed in the database. Returning something truthy (like `return user`) will automatically log the user in after their password is changed. If you'd like to return them to the login page and make them log in manually, `return false` and redirect the user in the Reset Password page.