rodauth
Plutonium Rodauth integration - authentication setup, account types, and configuration
Best use case
rodauth is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Plutonium Rodauth integration - authentication setup, account types, and configuration
Teams using rodauth should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/rodauth/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How rodauth Compares
| Feature / Agent | rodauth | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Plutonium Rodauth integration - authentication setup, account types, and configuration
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Plutonium Rodauth Authentication
Plutonium integrates with [Rodauth](http://rodauth.jeremyevans.net/) via [rodauth-rails](https://github.com/janko/rodauth-rails) for authentication. This provides a full-featured, secure authentication system.
## Installation
### Step 1: Install Rodauth Base
```bash
rails generate pu:rodauth:install
```
This installs:
- Required gems (`rodauth-rails`, `bcrypt`, `sequel-activerecord_connection`)
- `app/rodauth/rodauth_app.rb` - Main Roda app
- `app/rodauth/rodauth_plugin.rb` - Base plugin
- `app/controllers/rodauth_controller.rb` - Base controller
- `config/initializers/rodauth.rb` - Configuration
- `app/views/layouts/rodauth.html.erb` - Auth layout
- PostgreSQL extension migration (if using PostgreSQL)
### Step 2: Create Account Type
Choose the appropriate generator for your use case:
```bash
# Basic user account
rails generate pu:rodauth:account user
# Admin with 2FA and security features
rails generate pu:rodauth:admin admin
# Customer with entity association
rails generate pu:rodauth:customer customer
```
## Account Generators
### Basic Account (`pu:rodauth:account`)
Creates a standard user account with configurable features:
```bash
rails generate pu:rodauth:account user [options]
```
**Options:**
| Option | Description |
|--------|-------------|
| `--defaults` | Enable default features (login, logout, remember, password reset) |
| `--kitchen_sink` | Enable ALL available features |
| `--primary` | Mark as primary account (no URL prefix) |
| `--no-mails` | Skip mailer setup |
| `--argon2` | Use Argon2 instead of bcrypt for password hashing |
| `--api_only` | Configure for JSON API only (no sessions) |
**Feature Options:**
| Option | Default | Description |
|--------|---------|-------------|
| `--login` | ✓ | Login functionality |
| `--logout` | ✓ | Logout functionality |
| `--remember` | ✓ | "Remember me" cookies |
| `--create_account` | ✓ | User registration |
| `--verify_account` | ✓ | Email verification |
| `--reset_password` | ✓ | Password reset via email |
| `--change_password` | ✓ | Change password |
| `--change_login` | ✓ | Change email |
| `--verify_login_change` | ✓ | Verify email change |
| `--otp` | | TOTP two-factor auth |
| `--webauthn` | | WebAuthn/passkeys |
| `--recovery_codes` | | Recovery codes for 2FA |
| `--lockout` | | Account lockout after failed attempts |
| `--active_sessions` | | Track active sessions |
| `--audit_logging` | | Audit authentication events |
| `--close_account` | | Allow account deletion |
| `--email_auth` | | Passwordless login via email |
| `--sms_codes` | | SMS-based 2FA |
| `--jwt` | | JWT token authentication |
| `--jwt_refresh` | | JWT refresh tokens |
### Admin Account (`pu:rodauth:admin`)
Creates a secure admin account with:
- Multi-phase login (email first, then password)
- TOTP two-factor authentication (required)
- Recovery codes
- Account lockout
- Active sessions tracking
- Audit logging
- No public signup (accounts created via rake task)
```bash
rails generate pu:rodauth:admin admin
```
**Creates rake task:**
```bash
# Create admin account
rails rodauth_admin:create[admin@example.com,password123]
```
### Customer Account (`pu:rodauth:customer`)
Creates a customer account with an associated entity (organization/company):
```bash
rails generate pu:rodauth:customer customer
rails generate pu:rodauth:customer customer --entity=Organization
rails generate pu:rodauth:customer customer --no-allow_signup
```
**Options:**
| Option | Description |
|--------|-------------|
| `--entity=NAME` | Entity model name (default: "Entity") |
| `--no-allow_signup` | Disable public registration |
This creates:
- Customer account model
- Entity model (Organization, Company, etc.)
- Membership join model
- Has-many-through associations
## Connecting Auth to Controllers
### Include in Resource Controller
```ruby
# app/controllers/resource_controller.rb
class ResourceController < PlutoniumController
include Plutonium::Resource::Controller
include Plutonium::Auth::Rodauth(:user) # Use :user account
end
```
### Multiple Account Types
```ruby
# app/controllers/admin_controller.rb
class AdminController < PlutoniumController
include Plutonium::Resource::Controller
include Plutonium::Auth::Rodauth(:admin)
end
# app/controllers/customer_controller.rb
class CustomerController < PlutoniumController
include Plutonium::Resource::Controller
include Plutonium::Auth::Rodauth(:customer)
end
```
### What It Provides
Including `Plutonium::Auth::Rodauth(:name)` adds:
| Method | Description |
|--------|-------------|
| `current_user` | The authenticated account |
| `logout_url` | URL to logout |
| `rodauth` | Access to Rodauth instance |
## Generated Files
### Account Structure
```
app/
├── controllers/
│ └── rodauth/
│ └── user_controller.rb # Account-specific controller
├── mailers/
│ └── rodauth/
│ └── user_mailer.rb # Account-specific mailer
├── models/
│ └── user.rb # Account model
├── rodauth/
│ ├── rodauth_app.rb # Main Roda app
│ ├── rodauth_plugin.rb # Base plugin
│ └── user_rodauth_plugin.rb # Account-specific config
├── policies/
│ └── user_policy.rb # Account policy
├── definitions/
│ └── user_definition.rb # Account definition
└── views/
├── layouts/
│ └── rodauth.html.erb # Auth layout
└── rodauth/
└── user_mailer/ # Email templates
├── reset_password.text.erb
├── verify_account.text.erb
└── ...
```
### Plugin Configuration
```ruby
# app/rodauth/user_rodauth_plugin.rb
class UserRodauthPlugin < RodauthPlugin
configure do
# Features enabled for this account
enable :login, :logout, :remember, :create_account, ...
# URL prefix (non-primary accounts)
prefix "/users"
# Password storage
account_password_hash_column :password_hash
# Controller for views
rails_controller { Rodauth::UserController }
# Model
rails_account_model { User }
# Redirects
login_redirect "/"
logout_redirect "/"
# Session configuration
session_key "_user_session"
remember_cookie_key "_user_remember"
end
end
```
## Customization
### Custom Login Redirect
```ruby
# app/rodauth/user_rodauth_plugin.rb
configure do
login_redirect { "/dashboard" }
# Or dynamically based on user
login_redirect do
if rails_account.admin?
"/admin"
else
"/dashboard"
end
end
end
```
### Custom Validation
```ruby
configure do
# Add custom field validation
before_create_account do
throw_error_status(422, "name", "must be present") if param("name").empty?
end
# After account creation
after_create_account do
Profile.create!(account_id: account_id, name: param("name"))
end
end
```
### Password Requirements
```ruby
configure do
# Minimum length
password_minimum_length 12
# Custom complexity
password_meets_requirements? do |password|
super(password) && password.match?(/\d/) && password.match?(/[^a-zA-Z\d]/)
end
end
```
### Multi-Phase Login
```ruby
configure do
# Ask for email first, then password
use_multi_phase_login? true
end
```
### Prevent Public Signup
```ruby
configure do
before_create_account_route do
request.halt unless internal_request?
end
end
```
## Email Configuration
Emails are sent via Action Mailer. Configure delivery in your environment:
```ruby
# config/environments/production.rb
config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = {
address: "smtp.example.com",
port: 587,
user_name: ENV["SMTP_USER"],
password: ENV["SMTP_PASSWORD"]
}
```
### Custom Email Templates
Override templates in `app/views/rodauth/user_mailer/`:
```erb
<%# app/views/rodauth/user_mailer/reset_password.text.erb %>
Hi <%= @account.email %>,
Someone requested a password reset for your account.
Reset your password: <%= @reset_password_url %>
If you didn't request this, ignore this email.
```
## Portal Integration
### Selecting Auth for Portal
When generating a portal, select the Rodauth account:
```bash
rails generate pu:pkg:portal admin
# Select "Rodauth account" when prompted
# Choose "admin" account
```
### Manual Portal Auth Setup
```ruby
# packages/admin_portal/lib/engine.rb
module AdminPortal
class Engine < Rails::Engine
include Plutonium::Portal::Engine
# Require authentication
config.before_initialize do
config.to_prepare do
AdminPortal::ResourceController.class_eval do
include Plutonium::Auth::Rodauth(:admin)
before_action :require_authenticated
private
def require_authenticated
redirect_to rodauth.login_path unless current_user
end
end
end
end
end
end
```
## API Authentication
For JSON API authentication:
```bash
rails generate pu:rodauth:account api_user --api_only --jwt --jwt_refresh
```
This enables:
- JWT token authentication
- Refresh tokens
- No session/cookie handling
### Using JWT
```ruby
# Login
POST /api_users/login
Content-Type: application/json
{"login": "user@example.com", "password": "secret"}
# Response includes JWT
{"access_token": "...", "refresh_token": "..."}
# Authenticated requests
GET /api/posts
Authorization: Bearer <access_token>
```
## Internal Requests
Create accounts programmatically:
```ruby
# Using internal request
Rodauth::Rails.app(:user).rodauth(:user).create_account(
login: "user@example.com",
password: "secure_password"
)
# Or via model (if allowed)
User.create!(
email: "user@example.com",
password_hash: BCrypt::Password.create("secure_password"),
status: 2 # verified
)
```
## Feature Reference
| Feature | Description |
|---------|-------------|
| `login` | Basic login/logout |
| `create_account` | User registration |
| `verify_account` | Email verification |
| `reset_password` | Password reset via email |
| `change_password` | Change password when logged in |
| `change_login` | Change email address |
| `verify_login_change` | Verify email change |
| `remember` | "Remember me" functionality |
| `otp` | TOTP two-factor authentication |
| `sms_codes` | SMS-based 2FA |
| `recovery_codes` | Backup codes for 2FA |
| `webauthn` | WebAuthn/passkey authentication |
| `lockout` | Lock account after failed attempts |
| `active_sessions` | Track/manage active sessions |
| `audit_logging` | Log authentication events |
| `email_auth` | Passwordless email login |
| `jwt` | JWT token authentication |
| `jwt_refresh` | JWT refresh tokens |
| `close_account` | Allow account deletion |
| `password_expiration` | Force password changes |
| `disallow_password_reuse` | Prevent password reuse |
## Related Skills
- `installation` - Initial Plutonium setup
- `portal` - Portal configuration
- `policy` - Authorization after authenticationRelated Skills
bgo
Automates the complete Blender build-go workflow, from building and packaging your extension/add-on to removing old versions, installing, enabling, and launching Blender for quick testing and iteration.
security-scanning-security-hardening
Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls.
security-scanning-security-dependencies
You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across ecosystems to identify vulnerabilities, ass...
security-scan
Comprehensive security scanning for CVE vulnerabilities, OWASP Top 10 code patterns, and dependency audits. Use when the user wants to check code security, find vulnerabilities, or audit dependencies.
security-reviewer
Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.
security-review
Run a targeted security audit on specified files or modules. Uses OWASP-informed checks, dependency vulnerability scanning, and auth/input validation review. Use for security audits, vulnerability checks, or before deploying sensitive code. Keywords: security, audit, vulnerability, OWASP, CVE, secrets, injection, XSS, auth, authentication, authorization
security-review-pr
PR/branch security review focused on HIGH-CONFIDENCE vulnerabilities with minimal false positives. Uses git diff analysis and sub-task parallelization.
security-review-audit
Full codebase security audit with OWASP Top 10 guidance, language-specific patterns, checklists, and fix examples. Use for comprehensive audits split by module/area.
security-requirement-extraction
Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.
security
Information security expertise for cybersecurity frameworks (NIST, ISO 27001), security architecture, incident response, vulnerability management, identity management, and cloud security. Use when designing security programs, responding to incidents, or assessing vulnerabilities.
security-hardening
World-class application security - OWASP Top 10, secure coding patterns, and the battle scars from security incidents that could have been preventedUse when "security, secure, vulnerability, injection, xss, csrf, authentication, authorization, owasp, encryption, secret, password, token, sanitize, validate, escape, encode, harden, security, owasp, injection, xss, csrf, authentication, authorization, encryption, secrets, hardening" mentioned.
Security Engineer
Implement security best practices across the application stack. Use when securing APIs, implementing authentication, preventing vulnerabilities, or conducting security reviews. Covers OWASP Top 10, auth patterns, input validation, encryption, and security monitoring.