rodauth-rails 0.14.0 → 0.17.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d447d09fef8c29feb6240523286b8906049e85965f20a6410d1a475f913d9051
-  data.tar.gz: bca9b6eadec6b32f2193291c6922467a554105d290ffd7b34bc2606d62121926
+  metadata.gz: 458a4a5552c124a1e7587837bbd57eed020857ae691bcc4b1f2e2639df774bb8
+  data.tar.gz: b19da17830585641950d026dff75ebd32ded19ad16dd5fb5c3b8a33c34b0a8f6
 SHA512:
-  metadata.gz: 1f512f9fe9a3e22dcddf477d8906d1ea63a548241fd93b43bbcaf274ff39e0104e20f64c6a2836e5b243e812ffde654deae55a0beca69f4ba917cd5943da8a3c
-  data.tar.gz: dbbd99959dfd42134cd3374f1f9767cf3e8d49327c195d4c35c4ecf281d0c3dad52db76b7e2fbf030c9e3ea2131bfcb1b6a120cc4a310983d8db564e63b97cda
+  metadata.gz: 01d5c774269d260e2805e0a2e4a509d9db81a3a966e94176cd6c5df6d808356feee48c5009b9692e0647034ae1c4d6ea3dc29627fa2000d05821a4402080601a
+  data.tar.gz: 1dde8d0ffb4605d3abf7893628a804eca7c0fbc94f2418176651dce81fac14eb4dfe1d165e315288a2a46373b818c795e15e9d58b5ad77f15b1fb5c3d9efc4be

data/CHANGELOG.md

@@ -1,3 +1,45 @@
+## 0.17.1 (2021-10-20)
+
+* Skip checking CSRF when request forgery protection wasn't loaded on the controller (@janko)
+
+* Create partial unique index for `accounts.email` column when using `sqlite3` adapter (@janko)
+
+* Revert setting `delete_account_on_close?` to `true` in generated `rodauth_app.rb` (@janko)
+
+* Disable Turbo in `_recovery_codes_form.html.erb`, since viewing recovery codes isn't Turbo-compatible (@janko)
+
+* Generate JSON configuration on `rodauth:install` for API-only with sessions enabled (@janko)
+
+* Generate JWT configuration on `rodauth:install` only for API-only apps without sessions enabled (@janko)
+
+* Don't generate JWT configuration when `rodauth:install --json` was run in API-only app (@janko)
+
+* Use `config.action_mailer.default_url_options` in path_class_methods feature (@janko)
+
+## 0.17.0 (2021-10-05)
+
+* Set `delete_account_on_close?` to `true` in generated `rodauth_app.rb` (@janko)
+
+* Change default `:dependent` option for associations to `:delete`/`:delete_all` (@janko)
+
+* Add `rails_account_model` configuration method for when the account model cannot be inferred (@janko)
+
+## 0.16.0 (2021-09-26)
+
+* Add `#current_account` to methods defined on `ActionController::Base` (@janko)
+
+* Add missing template for verify_login_change feature to `rodauth:views` generator (@janko)
+
+* Add `#rodauth_response` controller method for converting rodauth responses into controller responses (@janko)
+
+## 0.15.0 (2021-07-29)
+
+* Add `Rodauth::Rails::Model` mixin that defines password attribute and associations on the model (@janko)
+
+* Add support for the new internal_request feature (@janko)
+
+* Implement `Rodauth::Rails.rodauth` in terms of the internal_request feature (@janko)
+
 ## 0.14.0 (2021-07-10)
 
 * Speed up template rendering by only searching formats accepted by the request (@janko)

data/README.md

@@ -49,7 +49,7 @@ For instructions on upgrading from previous rodauth-rails versions, see
 Add the gem to your Gemfile:
 
 ```rb
-gem "rodauth-rails", "~> 0.14"
+gem "rodauth-rails", "~> 0.17"
 
 # gem "jwt",      require: false # for JWT feature
 # gem "rotp",     require: false # for OTP feature
@@ -142,31 +142,36 @@ end
 
 ### Current account
 
-To be able to fetch currently authenticated account, you can define a
-`#current_account` method that fetches the account id from session and
-retrieves the corresponding account record:
+The `#current_account` method is defined in controllers and views, which
+returns the model instance of the currently logged in account.
 
 ```rb
-# app/controllers/application_controller.rb
-class ApplicationController < ActionController::Base
-  before_action :current_account, if: -> { rodauth.logged_in? }
+current_account #=> #<Account id=123 email="user@example.com">
+current_account.email #=> "user@example.com"
+```
 
-  private
+If the account doesn't exist in the database, the session will be cleared and
+login required.
 
-  def current_account
-    @current_account ||= Account.find(rodauth.session_value)
-  rescue ActiveRecord::RecordNotFound
-    rodauth.logout
-    rodauth.login_required
-  end
-  helper_method :current_account # skip if inheriting from ActionController::API
-end
+Pass the configuration name to retrieve accounts belonging to other Rodauth
+configurations:
+
+```rb
+current_account(:admin)
 ```
 
-This allows you to access the current account in controllers and views:
+The `#current_account` method will try to infer the account model class from
+the configured table name. If that fails, you can set the account model
+manually:
 
-```erb
-<p>Authenticated as: <%= current_account.email %></p>
+```rb
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    # ...
+    rails_account_model Authentication::Account # custom model name
+  end
+end
 ```
 
 ### Requiring authentication
@@ -453,6 +458,134 @@ class CreateRodauthOtpSmsCodesRecoveryCodes < ActiveRecord::Migration
 end
 ```
 
+### Model
+
+The `Rodauth::Rails::Model` mixin can be included into the account model, which
+defines a password attribute and associations for tables used by enabled
+authentication features.
+
+```rb
+class Account < ApplicationRecord
+  include Rodauth::Rails.model # or `Rodauth::Rails.model(:admin)`
+end
+```
+
+#### Password attribute
+
+Regardless of whether you're storing the password hash in a column in the
+accounts table, or in a separate table, the `#password` attribute can be used
+to set or clear the password hash.
+
+```rb
+account = Account.create!(email: "user@example.com", password: "secret")
+
+# when password hash is stored in a column on the accounts table
+account.password_hash #=> "$2a$12$k/Ub1I2iomi84RacqY89Hu4.M0vK7klRnRtzorDyvOkVI.hKhkNw."
+
+# when password hash is stored in a separate table
+account.password_hash #=> #<Account::PasswordHash...> (record from `account_password_hashes` table)
+account.password_hash.password_hash #=> "$2a$12$k/Ub1..." (inaccessible when using database authentication functions)
+
+account.password = nil # clears password hash
+account.password_hash #=> nil
+```
+
+Note that the password attribute doesn't come with validations, making it
+unsuitable for forms. It was primarily intended to allow easily creating
+accounts in development console and in tests.
+
+#### Associations
+
+The `Rodauth::Rails::Model` mixin defines associations for Rodauth tables
+associated to the accounts table:
+
+```rb
+account.remember_key #=> #<Account::RememberKey> (record from `account_remember_keys` table)
+account.active_session_keys #=> [#<Account::ActiveSessionKey>,...] (records from `account_active_session_keys` table)
+```
+
+You can also reference the associated models directly:
+
+```rb
+# model referencing the `account_authentication_audit_logs` table
+Account::AuthenticationAuditLog.where(message: "login").group(:account_id)
+```
+
+The associated models define the inverse `belongs_to :account` association:
+
+```rb
+Account::ActiveSessionKey.includes(:account).map(&:account)
+```
+
+Here is an example of using associations to create a method that returns
+whether the account has multifactor authentication enabled:
+
+```rb
+class Account < ApplicationRecord
+  include Rodauth::Rails.model
+
+  def mfa_enabled?
+    otp_key || (sms_code && sms_code.num_failures.nil?) || recovery_codes.any?
+  end
+end
+```
+
+Here is another example of creating a query scope that selects accounts with
+multifactor authentication enabled:
+
+```rb
+class Account < ApplicationRecord
+  include Rodauth::Rails.model
+
+  scope :otp_setup, -> { where(otp_key: OtpKey.all) }
+  scope :sms_codes_setup, -> { where(sms_code: SmsCode.where(num_failures: nil)) }
+  scope :recovery_codes_setup, -> { where(recovery_codes: RecoveryCode.all) }
+  scope :mfa_enabled, -> { merge(otp_setup.or(sms_codes_setup).or(recovery_codes_setup)) }
+end
+```
+
+Below is a list of all associations defined depending on the features loaded:
+
+| Feature                 | Association                  | Type       | Model                    | Table (default)                     |
+| :------                 | :----------                  | :---       | :----                    | :----                               |
+| account_expiration      | `:activity_time`             | `has_one`  | `ActivityTime`           | `account_activity_times`            |
+| active_sessions         | `:active_session_keys`       | `has_many` | `ActiveSessionKey`       | `account_active_session_keys`       |
+| audit_logging           | `:authentication_audit_logs` | `has_many` | `AuthenticationAuditLog` | `account_authentication_audit_logs` |
+| disallow_password_reuse | `:previous_password_hashes`  | `has_many` | `PreviousPasswordHash`   | `account_previous_password_hashes`  |
+| email_auth              | `:email_auth_key`            | `has_one`  | `EmailAuthKey`           | `account_email_auth_keys`           |
+| jwt_refresh             | `:jwt_refresh_keys`          | `has_many` | `JwtRefreshKey`          | `account_jwt_refresh_keys`          |
+| lockout                 | `:lockout`                   | `has_one`  | `Lockout`                | `account_lockouts`                  |
+| lockout                 | `:login_failure`             | `has_one`  | `LoginFailure`           | `account_login_failures`            |
+| otp                     | `:otp_key`                   | `has_one`  | `OtpKey`                 | `account_otp_keys`                  |
+| password_expiration     | `:password_change_time`      | `has_one`  | `PasswordChangeTime`     | `account_password_change_times`     |
+| recovery_codes          | `:recovery_codes`            | `has_many` | `RecoveryCode`           | `account_recovery_codes`            |
+| remember                | `:remember_key`              | `has_one`  | `RememberKey`            | `account_remember_keys`             |
+| reset_password          | `:password_reset_key`        | `has_one`  | `PasswordResetKey`       | `account_password_reset_keys`       |
+| single_session          | `:session_key`               | `has_one`  | `SessionKey`             | `account_session_keys`              |
+| sms_codes               | `:sms_code`                  | `has_one`  | `SmsCode`                | `account_sms_codes`                 |
+| verify_account          | `:verification_key`          | `has_one`  | `VerificationKey`        | `account_verification_keys`         |
+| verify_login_change     | `:login_change_key`          | `has_one`  | `LoginChangeKey`         | `account_login_change_keys`         |
+| webauthn                | `:webauthn_keys`             | `has_many` | `WebauthnKey`            | `account_webauthn_keys`             |
+| webauthn                | `:webauthn_user_id`          | `has_one`  | `WebauthnUserId`         | `account_webauthn_user_ids`         |
+
+By default, all associations except for audit logs have `dependent: :destroy`
+set, to allow for easy deletion of account records in the console. You can use
+`:association_options` to modify global or per-association options:
+
+```rb
+# don't auto-delete associations when account model is deleted
+Rodauth::Rails.model(association_options: { dependent: nil })
+
+# require authentication audit logs to be eager loaded before retrieval
+Rodauth::Rails.model(association_options: -> (name) {
+  { strict_loading: true } if name == :authentication_audit_logs
+})
+```
+
+Note that some Rodauth tables use composite primary keys, which Active Record
+doesn't support out of the box. For associations to work properly, you might
+need to add the [composite_primary_keys] gem to your Gemfile.
+
 ### Multiple configurations
 
 If you need to handle multiple types of accounts that require different
@@ -656,37 +789,88 @@ class RodauthApp < Rodauth::Rails::App
 end
 ```
 
-### Rodauth instance
+### Outside of a request
 
-In some cases you might need to use Rodauth more programmatically, and perform
-Rodauth operations outside of the request context. rodauth-rails gives you a
-helper method for building a Rodauth instance:
+In some cases you might need to use Rodauth more programmatically. If you want
+to perform authentication operations outside of request context, Rodauth ships
+with the [internal_request] feature just for that.
 
 ```rb
-rodauth = Rodauth::Rails.rodauth # or Rodauth::Rails.rodauth(:admin)
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    enable :internal_request
+  end
+end
+```
+```rb
+# main configuration
+RodauthApp.rodauth.create_account(login: "user@example.com", password: "secret")
+RodauthApp.rodauth.verify_account(account_login: "user@example.com")
 
-rodauth.login_url #=> "https://example.com/login"
-rodauth.account_from_login("user@example.com") # loads user by email
-rodauth.password_match?("secret") #=> true
-rodauth.setup_account_verification
-rodauth.close_account
+# secondary configuration
+RodauthApp.rodauth(:admin).close_account(account_login: "admin@example.com")
 ```
 
-The base URL is taken from Action Mailer's `default_url_options` setting if
-configured. The `Rodauth::Rails.rodauth` method accepts additional keyword
-arguments:
+The rodauth-rails gem additionally updates the internal rack env hash with your
+`config.action_mailer.default_url_options`, which is used for generating email
+links.
 
-* `:account` – Active Record model instance from which to set `account` and `session[:account_id]`
-* `:query` & `:form` – set specific query/form parameters
-* `:session` – set any session values
-* `:env` – set any additional Rack env values
+For generating authentication URLs outside of a request use the
+[path_class_methods] plugin:
 
 ```rb
-Rodauth::Rails.rodauth(account: Account.find(account_id))
-Rodauth::Rails.rodauth(query: { "param" => "value" })
-Rodauth::Rails.rodauth(form: { "param" => "value" })
-Rodauth::Rails.rodauth(session: { two_factor_auth_setup: true })
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    enable :path_class_methods
+  end
+end
+```
+```rb
+# main configuration
+RodauthApp.rodauth.create_account_path
+RodauthApp.rodauth.verify_account_url(key: "abc123")
+
+# secondary configuration
+RodauthApp.rodauth(:admin).close_account_path
+```
+
+#### Calling instance methods
+
+If you need to access Rodauth methods not exposed as internal requests, you can
+use `Rodauth::Rails.rodauth` to retrieve the Rodauth instance used by the
+internal_request feature:
+
+```rb
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    enable :internal_request # this is required
+  end
+end
+```
+```rb
+account = Account.find_by!(email: "user@example.com")
+rodauth = Rodauth::Rails.rodauth(account: account)
+
+rodauth.compute_hmac("token") #=> "TpEJTKfKwqYvIDKWsuZhkhKlhaBXtR1aodskBAflD8U"
+rodauth.open_account? #=> true
+rodauth.two_factor_authentication_setup? #=> true
+rodauth.password_meets_requirements?("foo") #=> false
+rodauth.locked_out? #=> false
+```
+
+In addition to the `:account` option, the `Rodauth::Rails.rodauth`
+method accepts any options supported by the internal_request feature.
+
+```rb
+# main configuration
 Rodauth::Rails.rodauth(env: { "HTTP_USER_AGENT" => "programmatic" })
+Rodauth::Rails.rodauth(session: { two_factor_auth_setup: true })
+
+# secondary configuration
+Rodauth::Rails.rodauth(:admin, params: { "param" => "value" })
 ```
 
 ## How it works
@@ -825,21 +1009,23 @@ class RodauthApp < Rodauth::Rails::App
 end
 ```
 
-If you need Cross-Origin Resource Sharing and/or JWT refresh tokens, enable the
-corresponding Rodauth features and create the necessary tables:
+The JWT token will be returned after each request to Rodauth routes. To also
+return the JWT token on requests to your app's routes, you can add the
+following code to your base controller:
 
-```sh
-$ rails generate rodauth:migration jwt_refresh
-$ rails db:migrate
-```
 ```rb
-# app/lib/rodauth_app.rb
-class RodauthApp < Rodauth::Rails::App
-  configure do
-    # ...
-    enable :jwt, :jwt_cors, :jwt_refresh
-    # ...
+class ApplicationController < ActionController::Base
+  # ...
+  after_action :set_jwt_token
+
+  private
+
+  def set_jwt_token
+    if rodauth.use_jwt? && rodauth.valid_jwt?
+      response.headers["Authorization"] = rodauth.session_jwt
+    end
   end
+  # ...
 end
 ```
 
@@ -944,9 +1130,13 @@ class RodauthController < ApplicationController
       account.identities.create!(provider: auth["provider"], uid: auth["uid"], info: auth["info"])
     end
 
-    # login with Rodauth
+    # load the account into the rodauth instance
     rodauth.account_from_login(account.email)
-    rodauth.login("omniauth")
+
+    rodauth_response do # ensures any `after_action` callbacks get called
+      # sign in the loaded account
+      rodauth.login("omniauth")
+    end
   end
 end
 ```
@@ -965,6 +1155,7 @@ methods:
 | `rails_check_csrf!`         | Verifies the authenticity token for the current request.           |
 | `rails_controller_instance` | Instance of the controller with the request env context.           |
 | `rails_controller`          | Controller class to use for rendering and CSRF protection.         |
+| `rails_account_model`       | Model class connected with the accounts table.                     |
 
 The `Rodauth::Rails` module has a few config settings available as well:
 
@@ -1147,29 +1338,6 @@ Rails.application.configure do |config|
 end
 ```
 
-If you need to create an account record with a password directly, you can do it
-as follows:
-
-```rb
-# app/models/account.rb
-class Account < ApplicationRecord
-  has_one :password_hash, foreign_key: :id
-end
-```
-```rb
-# app/models/account/password_hash.rb
-class Account::PasswordHash < ApplicationRecord
-  belongs_to :account, foreign_key: :id
-end
-```
-```rb
-require "bcrypt"
-
-account = Account.create!(email: "user@example.com", status: "verified")
-password_hash = BCrypt::Password.create("secret", cost: BCrypt::Engine::MIN_COST)
-account.create_password_hash!(id: account.id, password_hash: password_hash)
-```
-
 ## Rodauth defaults
 
 rodauth-rails changes some of the default Rodauth settings for easier setup:
@@ -1303,3 +1471,6 @@ conduct](https://github.com/janko/rodauth-rails/blob/master/CODE_OF_CONDUCT.md).
 [single_session]: http://rodauth.jeremyevans.net/rdoc/files/doc/single_session_rdoc.html
 [account_expiration]: http://rodauth.jeremyevans.net/rdoc/files/doc/account_expiration_rdoc.html
 [simple_ldap_authenticator]: https://github.com/jeremyevans/simple_ldap_authenticator
+[internal_request]: http://rodauth.jeremyevans.net/rdoc/files/doc/internal_request_rdoc.html
+[composite_primary_keys]: https://github.com/composite-primary-keys/composite_primary_keys
+[path_class_methods]: https://rodauth.jeremyevans.net/rdoc/files/doc/path_class_methods_rdoc.html

data/lib/generators/rodauth/install_generator.rb

@@ -95,11 +95,11 @@ module Rodauth
         end
 
         def json?
-          options[:json]
+          options[:json] || api_only? && session_store? && !options[:jwt]
         end
 
         def jwt?
-          options[:jwt] || Rodauth::Rails.api_only?
+          options[:jwt] || api_only? && !session_store? && !options[:json]
         end
 
         def migration_features
@@ -107,6 +107,14 @@ module Rodauth
           features << :remember unless jwt?
           features
         end
+
+        def session_store?
+          !!::Rails.application.config.session_store
+        end
+
+        def api_only?
+          Rodauth::Rails.api_only?
+        end
       end
     end
   end

data/lib/generators/rodauth/migration/base.erb

@@ -5,11 +5,17 @@ enable_extension "citext"
 create_table :accounts<%= primary_key_type %> do |t|
 <% case activerecord_adapter -%>
 <% when "postgresql" -%>
-  t.citext :email, null: false, index: { unique: true, where: "status IN ('unverified', 'verified')" }
+  t.citext :email, null: false
 <% else -%>
-  t.string :email, null: false, index: { unique: true }
+  t.string :email, null: false
 <% end -%>
   t.string :status, null: false, default: "unverified"
+<% case activerecord_adapter -%>
+<% when "postgresql", "sqlite3" -%>
+  t.index :email, unique: true, where: "status IN ('unverified', 'verified')"
+<% else -%>
+  t.index :email, unique: true
+<% end -%>
 end
 
 # Used if storing password hashes in a separate table (default)

data/lib/generators/rodauth/templates/app/lib/rodauth_app.rb

@@ -154,7 +154,7 @@ class RodauthApp < Rodauth::Rails::App
 <% end -%>
   end
 
-  # ==> Multiple configurations
+  # ==> Secondary configurations
   # configure(:admin) do
   #   # ... enable features ...
   #   prefix "/admin"
@@ -163,11 +163,6 @@ class RodauthApp < Rodauth::Rails::App
   #
   #   # search views in `app/views/admin/rodauth` directory
   #   rails_controller { Admin::RodauthController }
-  #
-  #   # use separate tables (requires creating the new tables)
-  #   methods.grep(/_table$/) do |table_method|
-  #     public_send(table_method) { :"admin_#{super()}" }
-  #   end
   # end
 
   route do |r|
@@ -189,7 +184,7 @@ class RodauthApp < Rodauth::Rails::App
     #   rodauth.require_authentication
     # end
 
-    # ==> Multiple configurations
+    # ==> Secondary configurations
     # r.on "admin" do
     #   r.rodauth(:admin)
     #
@@ -197,7 +192,7 @@ class RodauthApp < Rodauth::Rails::App
     #     rodauth(:admin).require_http_basic_auth
     #   end
     #
-    #   r.pass # allow the Rails app to handle other "/admin/*" requests
+    #   break # allow the Rails app to handle other "/admin/*" requests
     # end
   end
 end

data/lib/generators/rodauth/templates/app/models/account.rb

@@ -1,2 +1,3 @@
 class Account < ApplicationRecord
+  include Rodauth::Rails.model
 end

data/lib/generators/rodauth/templates/app/views/rodauth/_recovery_codes_form.html.erb

@@ -1,4 +1,4 @@
-<%%= form_tag <%= rodauth %>.recovery_codes_path, method: :post do %>
+<%%= form_tag <%= rodauth %>.recovery_codes_path, method: :post, data: { turbo: false } do %>
   <%%= render "password_field" if <%= rodauth %>.two_factor_modifications_require_password? %>
   <%%= render "submit",
     value: <%= rodauth %>.recovery_codes_button || "View Authentication Recovery Codes",

data/lib/generators/rodauth/views_generator.rb

@@ -61,6 +61,9 @@ module Rodauth
             _field _field_error _login_hidden_field _login_field _submit
             verify_account_resend verify_account
           ],
+          verify_login_change: %w[
+            _submit verify_login_change
+          ],
           lockout: %w[
             _login_hidden_field _submit unlock_account_request unlock_account
           ],
@@ -129,8 +132,9 @@ module Rodauth
         end
 
         def controller
-          rodauth = Rodauth::Rails.rodauth(configuration_name)
-          rodauth.rails_controller
+          rodauth = Rodauth::Rails.app.rodauth(configuration_name)
+          fail ArgumentError, "unknown rodauth configuration: #{configuration_name.inspect}" unless rodauth
+          rodauth.allocate.rails_controller
         end
 
         def configuration_name

data/lib/rodauth/rails/auth.rb

@@ -6,10 +6,10 @@ module Rodauth
     # Base auth class that applies some default configuration and supports
     # multi-level inheritance.
     class Auth < Rodauth::Auth
-      def self.inherited(auth_class)
+      def self.inherited(subclass)
         super
         superclass = self
-        auth_class.class_eval do
+        subclass.class_eval do
           @roda_class = Rodauth::Rails.app
           @features = superclass.features.clone
           @routes = superclass.routes.clone

data/lib/rodauth/rails/controller_methods.rb

@@ -4,13 +4,54 @@ module Rodauth
       def self.included(controller)
         # ActionController::API doesn't have helper methods
         if controller.respond_to?(:helper_method)
-          controller.helper_method :rodauth
+          controller.helper_method :rodauth, :current_account
         end
       end
 
       def rodauth(name = nil)
         request.env.fetch ["rodauth", *name].join(".")
       end
+
+      def current_account(name = nil)
+        model = rodauth(name).rails_account_model
+        id = rodauth(name).session_value
+
+        @current_account ||= {}
+        @current_account[name] ||= fetch_account(model, id) do
+          rodauth(name).clear_session
+          rodauth(name).login_required
+        end
+      end
+
+      private
+
+      def fetch_account(model, id, &not_found)
+        if defined?(ActiveRecord::Base) && model < ActiveRecord::Base
+          begin
+            model.find(id)
+          rescue ActiveRecord::RecordNotFound
+            not_found.call
+          end
+        elsif model < Sequel::Model
+          begin
+            model.with_pk!(id)
+          rescue Sequel::NoMatchingRow
+            not_found.call
+          end
+        else
+          fail Error, "unsupported model type: #{model}"
+        end
+      end
+
+      def rodauth_response
+        res = catch(:halt) { return yield }
+
+        self.status = res[0]
+        self.headers.merge! res[1]
+        self.response_body = res[2]
+
+        res
+      end
     end
   end
 end