Redirect after login (JSON API/OmniAuth)

[mdodell]

👋 Hello!

I followed the Omniauth guide for my React/Rails application (the client is its own repository, I am not using react_on_rails.

I have the omniauth action:

# app/controllres/rodauth_controller.rb
class RodauthController < ApplicationController
  def omniauth
    auth = request.env["omniauth.auth"]

    # attempt to find existing identity directly
    identity = AccountIdentity.find_by(provider: auth["provider"], uid: auth["uid"])

    if identity
      # update any external info changes
      identity.update!(info: auth["info"])
      # set account from identity
      account = identity.account
    end

    # attempt to find an existing account by email
    account ||= Account.find_by(email: auth["info"]["email"])

    # disallow login if account is not verified
    if account && account.status != rodauth.account_open_status_value
      redirect_to rodauth.login_path, alert: rodauth.unverified_account_message
      return
    end

    # create new account if it doesn't exist
    unless account
      account = Account.create!(email: auth["info"]["email"], status: rodauth.account_open_status_value)
    end

    # create new identity if it doesn't exist
    unless identity
      account.identities.create!(provider: auth["provider"], uid: auth["uid"], info: auth["info"])
    end

    # load the account into the rodauth instance
    rodauth.account_from_login(account.email)

    rodauth_response do # ensures any `after_action` callbacks get called
      # sign in the loaded account
      rodauth.login("omniauth")
    end
  end
end

When I go through my flow, rather than be redirected to my JSON API, which gives me the correct GET response:

{
success: "You have been logged in"
}

I tried to add an after_action that redirects to my client app, that gives me this error:

"#<AbstractController::DoubleRenderError: Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need to do something like "redirect_to(...) and return"

Is there a way I can replace the render from Rodauth, and instead redirect, such as via some Referer response header?

[janko]

I tried to add an after_action that redirects to my client app, that gives me this error:

What code did you use for this?

[mdodell]

What code did you use for this?

I have the following code here:

class Api::V1::RodauthController < Api::V1::ApplicationController
  after_action :redirect_after_omniauth

  def omniauth
    auth = request.env["omniauth.auth"]

    # attempt to find existing identity directly
    identity = AccountIdentity.find_by(provider: auth["provider"], uid: auth["uid"])

    if identity
      # update any external info changes
      identity.update!(info: auth["info"])
      # set account from identity
      account = identity.account
    end

    # attempt to find an existing account by email
    account ||= Account.find_by(email: auth["info"]["email"])

    # disallow login if account is not verified
    if account && account.status != "verified"
      redirect_to rodauth.login_path, alert: rodauth.unverified_account_message
      return
    end

    # create new account if it doesn't exist
    account ||= Account.create!(email: auth["info"]["email"], status: rodauth.account_open_status_value, 
                                name: auth["info"]["first_name"])

    # create new identity if it doesn't exist
    account.identities.create!(provider: auth["provider"], uid: auth["uid"], info: auth["info"]) unless identity

    # load the account into the rodauth instance
    rodauth.account_from_login(account.email)

    rodauth_response do # ensures any `after_action` callbacks get called
      # sign in the loaded account
      rodauth.login("omniauth")
    end
  end

  private
   
  def redirect_after_omniauth
    redirect_to "mywebsite.com", allow_other_host: true
  end
end

I also tried adding in rodauth_main.rb instead of the above code:

 login_redirect "https://www.google.com"

Neither worked, and sitll redirected me to the JSON success.

[janko]

The reason this happens is that #login will end up throwing a JSON response, which rodauth_response helper will catch and render the JSON response. The after_action will then do a redirect_to on top of that, so that's where the Rails error is coming from.

It sounds like you want to disable JSON mode for the OmniAuth callback endpoint, so that you get the normal redirect back (JSON mode overrides redirects and view renders with JSON responses). One way to do this:

use_json? { request.env["omniauth.auth"] ? false : super() }

That will switch back to HTML mode, and login_redirect should then apply. If you want, you can also use login_session, which skips the redirect, so that you can redirect manually from the controller (in that case you don't need the rodauth_response block, since Rodauth is not returning a response here):

rodauth.account_from_login(account.email)
rodauth.login_session("omniauth")
redirect_to "mywebsite.com", allow_other_host: true

[mdodell]

Brilliant!

[mdodell]

Is the login_redirect still needed if redirect_to is used though 🤔?

[janko]

No, because #login_session method doesn't call it. Only #login calls it to redirect, after it has called #login_session.