Modify base_url or _email_link generation on a per action basis

[FelipeBodelon]

I'm handling some callback routes or email links on different hosts depending on the action, as I'm going for a progressive implementation of the library. I want to keep the generated rails view, while creating my custom auth flow on a new host vía JSON API. Is there a way to modify base_url on a per action basis? So far I mostly need the verify email to have a different base_url.

I've tried this and a few other overrides on rodauth_mailer.rb but they don't seem to be changing the default:

# rodauth_main.rb

def verify_account_email_link
    "#{ENV.fetch("FRONTEND_APP_URL", "http:https://localhost:3001")}/auth/verify-account?#{verify_account_key_param}=#{verify_account_key_value}"
end

[janko]

That method definition should be overriding the email link. In your mailer, when you look at @rodauth.method(:verify_account_email_link).source_location, it doesn't show you overridden method? Where is your method definition located in your Rodauth configuration, outside of the configure {} block or within auth_class_eval {}?

[FelipeBodelon]

I was using the configuration DSL, sorry if I didn't said it clearly. Tried placing it outside and the override worked (not with the DSL tho). I found another resulting issue in regards to the actual verification on the callback route (external host, via JSON). Verification fails with a 401 error. My intuition suggests that it could fail as the origin of the request wouldn't match base_url, which further nudges me into believing overriding base_url conditionally could better solve my use case.

Is this a reason why it could be failing? If I override base_url then it doesn't fail.

[janko]

Tried placing it outside and the override worked (not with the DSL tho).

Note sure why it didn't work via the configuration DSL, works on the official demo app 🤷🏻‍♂️

Verification fails with a 401 error.

What is the response body? Is it coming from Rodauth or Rails' CSRF protection? With the current information, I don't know why overriding base_url makes it not fail.

[FelipeBodelon]

Rodauth CSRF is disabled. Fails with status 401 { error: "Unable to verify account" }. Seems to be coming from Rodauth, but I have no idea what could be the issue.

[janko]

Since there are no validation errors, this most likely means the token was invalid. You can verify that by setting error reason in the JSON response, then checking if it matches invalid_verify_account_key.

set_error_reason { |reason| json_response[:error_reason] = reason }

The reason it's invalid is because rodauth-rails configures Rodauth to use HMACs, which requires hashed tokens to be passed to email links, and you're passing the raw token. That's why overriding base_url was working for you, because it wasn't changing the token. So, it's have to be

def verify_account_email_link
  "#{ENV.fetch("MEMOORIAS_APP_URL", "http:https://localhost:3001")}/auth/verify-account?#{verify_account_key_param}=#{token_param_value(verify_account_key_value)}"
end

But I would recommend just overriding the base_url based on a custom flag that you turn on in your mailer actions:

class RodauthMailer < ApplicationMailer
  def verify_account(name, account_id, key)
    @rodauth = rodauth(name, account_id) { @verify_account_key_value = key }
    @rodauth.frontend = true
    @account = @rodauth.rails_account

    mail subject: @rodauth.verify_account_email_subject
  end
end

class RodauthMain < Rodauth::Rails::Auth
  configure do
    base_url { frontend ? ENV.fetch("MEMOORIAS_APP_URL", "http:https://localhost:3001") : super() }
  end

  attr_accessor :frontend
end

[FelipeBodelon]

That's quite exactly the solution I needed. Thank you very much! This gives me full control based on action and modifies only the necessary behaviours without altering the rest!