How to gracefully handle deleted/closed account record on pages not requiring authentication

[janko]

When the session is logged in, but the underlying account record has been closed/deleted, on pages that require authentication, we can gracefully handle that by calling rodauth.require_account instead of rodauth.require_authentication at the beginning of the request.

rodauth.require_account # checks that the session is logged in AND that the account exists

How would we handle that for pages not requiring authentication, which are rendered differently depending on whether the user is logged in our not? Checking for rodauth.logged_in? or rodauth.authenticated? checks just the session, not that the account actually exists. Today I would write it like this in a view template:

if rodauth.logged_in? && (rodauth.account || rodauth.account_from_session)
  # ...
end

Or maybe before the request:

# this is similar to what #require_account_session does
if rodauth.logged_in?
  rodauth.account_from_session
  rodauth.clear_session unless rodauth.account
end

Would there be interest in baking this functionality into Rodauth, to make it easier to ensure existence of logged in accounts? I think this would be useful to gracefully handle sessions that are still logged in after the user closed their account, or if a system deletes an account record at part of a maintenance task. I don't know which of these two approaches (checking ad-hoc or before request) would be better; my guess is the latter, since it's more composable, as people don't need to change their rodauth.logged_in? and rodauth.authenticated? checks.

[jeremyevans]

It seems in this case, you would want to use the active_sessions plugin, since I think that would take care of this use case. However, I'd be open to rodauth.active_account? or similar method.

[janko]

Thanks for the reply, that makes sense that you'd want to use active_sessions plugin for that. In this case, a method like rodauth.active_account? doesn't seem necessary, because rodauth.check_active_session will already log out the session when account was closed (though not if deleted outside of close_account action).

In rodauth-rails, there is also a current_account method, which retrieves the account from the session, so that can be used here as well. I just wanted to find a way where the developer doesn't need to think about it (without using active_sessions), as Devise's authenticate_user! and user_signed_in? both check for existence of the account record, though they have a drawback of always making that extra SQL query. I think there are enough options in Rodauth.