Sending the Account verification email when trying to reset password.

[ifasoldt]

Basically the title.

Currently, the default behavior for unverified accounts is to just show an error if they try to reset the password. See here. We would love to conditionally re-send the account verification email instead if accounts are unverified and show a different, error message. This seems like very standard behavior in many applications.

It's not clear to me how to overwrite the current behavior-- we can access behavior with some hooks, for example reset_password_request_view, but it's not clear to me how to achieve the functionality we want.

[jeremyevans]

If a user tries to login, before even attempting the login, if the account is not verified, it sends them to the resend verify account view. This occurs before the password is checked and they would be sent to the reset password page. So I guess you would want this only to handle cases where the user navigates to the reset password page directly.

It is simple to make the behavior in this case configurable. Can you try the following diff, use the reset_password_request_for_unverified_account method to configure the behavior you want, and let me know if that will work for you?

diff --git a/lib/rodauth/features/reset_password.rb b/lib/rodauth/features/reset_password.rb
index a17558e..11c8f60 100644
--- a/lib/rodauth/features/reset_password.rb
+++ b/lib/rodauth/features/reset_password.rb
@@ -50,6 +50,7 @@ module Rodauth
       :reset_password_email_link,
       :reset_password_key_insert_hash,
       :reset_password_key_value,
+      :reset_password_request_for_unverified_account,
       :set_reset_password_email_last_sent
     )
     auth_private_methods(
@@ -73,9 +74,7 @@ module Rodauth
             throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message)
           end
 
-          unless open_account?
-            throw_error_reason(:unverified_account, unopen_account_error_status, login_param, unverified_account_message)
-          end
+          reset_password_request_for_unverified_account unless open_account?
 
           if reset_password_email_recently_sent?
             set_redirect_error_flash reset_password_email_recently_sent_error_flash
@@ -174,6 +173,10 @@ module Rodauth
       end
     end
 
+    def reset_password_request_for_unverified_account
+      throw_error_reason(:unverified_account, unopen_account_error_status, login_param, unverified_account_message)
+    end
+
     def remove_reset_password_key
       password_reset_ds.delete
     end

[ifasoldt]

Thank you for your quick reply! Yes, it is in cases where the user tries to navigate directly to reset password.

I'll try this and get back to you.

Also, I wonder if we're doing something non-standard, because our login page doesn't auto send non-verified accounts to the resend verify account view... Is that a feature we need to turn on?

[jeremyevans]

It's the default behavior. Related specs are at: https://github.com/jeremyevans/rodauth/blob/master/spec/verify_account_spec.rb#L33-L39

[ifasoldt]

Works like a charm!

I vendored Rodauth locally to make it work. I assume that's the best solution for now?

[jeremyevans]

Thank you for testing. I'll merge the change into Rodauth shortly, and it will be in the next release (not sure when that will be, but before the end of September at the latest).

[ifasoldt]

Awesome, thank you!

[ifasoldt]

And thank you!!