password_confirmation.rdoc

doc/guides/password_confirmation.rdoc
Last Update: 2020-06-30 15:06:09 -0700

Require password confirmation for certain actions

You might want to require the user to enter their password before accessing sensitive sections of the app. This functionality is provided by the confirm password feature, which accompanied with the password grace period feature will remember the entered password for a period of time:

plugin :rodauth do
  enable :confirm_password, :password_grace_period

  # Remember the password for 1 hour
  password_grace_period 60*60
end

route do |r|
  r.rodauth

  r.is 'some-action' do
    # Require password authentication if the password has not been
    # input recently.
    rodauth.require_password_authentication

    # ...
  end
end

You can also do this for Rodauth actions that normally require a password. Which essentially moves the password confirmation into a separate step, as Rodauth's behavior with the password grace period feature is to ask for the password on the same form.

plugin :rodauth do
  enable :confirm_password, :password_grace_period, :change_login, :change_password

  before_change_login_route    { require_password_authentication }
  before_change_password_route { require_password_authentication }
end