searls-auth 0.1.1 → 1.0.0

data/app/views/searls/auth/registrations/show.html.erb

@@ -3,8 +3,7 @@
 <%= form_with url: searls_auth.register_path, data: {controller: searls_auth_helper.login_stimulus_controller} do |f| %>
   <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
   <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
-  <%= f.label :email %>
-  <%= f.email_field :email, value: params[:email], required: true, data: searls_auth_helper.email_field_stimulus_data %>
+  <%= render "searls/auth/shared/register_fields", f: f %>
   <%= f.submit "Register" %>
 <% end %>
 

data/app/views/searls/auth/requests_password_resets/show.html.erb

@@ -0,0 +1,17 @@
+<h1>Forgot your password?</h1>
+
+<%= form_with url: searls_auth.password_reset_request_path, method: :post, data: {controller: searls_auth_helper.login_stimulus_controller} do |f| %>
+  <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
+  <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
+  <div>
+    <%= f.label :email, "Email address" %>
+    <%= f.email_field :email, required: true, value: params[:email], autocomplete: "email" %>
+  </div>
+  <div>
+    <%= f.submit "Send reset instructions" %>
+  </div>
+<% end %>
+
+<p>
+  Remembered your password? <%= link_to "Log in", searls_auth_helper.login_path %> instead.
+</p>

data/app/views/searls/auth/resets_passwords/show.html.erb

@@ -0,0 +1,26 @@
+<h1>Reset your password</h1>
+
+<%= form_with url: searls_auth.password_reset_update_path, method: :patch do |f| %>
+  <%= f.hidden_field :token, value: @token %>
+  <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
+  <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
+  <div>
+    <%= label_tag :email, "Email address" %>
+    <%= email_field_tag :email, @user_email, disabled: true %>
+  </div>
+  <div>
+    <%= f.label :password, "New password" %>
+    <%= f.password_field :password, autocomplete: "new-password", required: true %>
+  </div>
+  <div>
+    <%= f.label :password_confirmation, "Confirm new password" %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password", required: true %>
+  </div>
+  <div>
+    <%= f.submit "Update password" %>
+  </div>
+<% end %>
+
+<p>
+  Remembered it? <%= link_to "Log in", searls_auth_helper.login_path %> instead.
+</p>

data/app/views/searls/auth/settings/edit.html.erb

@@ -0,0 +1,31 @@
+<h1>Account Settings</h1>
+
+<%= form_with scope: :settings, url: searls_auth.settings_path, method: :patch do |f| %>
+  <%= hidden_field_tag :redirect_path, params[:redirect_path] %>
+  <%= hidden_field_tag :redirect_subdomain, params[:redirect_subdomain] %>
+
+  <fieldset>
+    <legend>Password</legend>
+    <% if password_on_file? %>
+      <div>
+        <%= f.label :current_password, "Current password" %>
+        <%= f.password_field :current_password, autocomplete: "current-password", required: password_on_file? %>
+      </div>
+      <p class="hint">Enter your current password to make changes.</p>
+    <% end %>
+
+    <div>
+      <%= f.label :password, password_on_file? ? "New password" : "Password" %>
+      <%= f.password_field :password, autocomplete: "new-password", required: !password_on_file? %>
+    </div>
+
+    <div>
+      <%= f.label :password_confirmation, "Confirm password" %>
+      <%= f.password_field :password_confirmation, autocomplete: "new-password", required: !password_on_file? %>
+    </div>
+  </fieldset>
+
+  <div>
+    <%= f.submit "Save changes" %>
+  </div>
+<% end %>

data/app/views/searls/auth/shared/_login_fields.html.erb

@@ -0,0 +1,11 @@
+<div>
+  <%= f.label :email %>
+  <%= f.email_field :email, required: true, value: params[:email], data: searls_auth_helper.email_field_stimulus_data %>
+</div>
+<% if Searls::Auth.config.auth_methods.include?(:password) %>
+  <div>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: "current-password" %>
+  </div>
+<% end %>
+

data/app/views/searls/auth/shared/_register_fields.html.erb

@@ -0,0 +1,15 @@
+<div>
+  <%= f.label :email %>
+  <%= f.email_field :email, value: params[:email], required: true, data: searls_auth_helper.email_field_stimulus_data %>
+</div>
+<% if Searls::Auth.config.auth_methods.include?(:password) %>
+  <div>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: "new-password" %>
+  </div>
+  <div>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+  </div>
+<% end %>
+

data/app/views/searls/auth/verifications/show.html.erb

@@ -1,24 +1,24 @@
 <h1>Check your email!</h1>
+<% parts = { email_link: "a link", email_otp: "a six-digit code" }.slice(*Searls::Auth.config.auth_methods).values %>
 <p>
-  In the next few moments, you should receive an email that will provide you
-  two ways to log in: a link and a six-digit code that you can enter below.
+  In the next few moments, you should receive an email with <%= parts.to_sentence %> to log in.
 </p>
-<%= form_with(url: searls_auth.verify_path, method: :post, data: {
-    # Don't use turbo on cross-domain redirects
-    turbo: searls_auth_helper.enable_turbo?
-  }) do |f| %>
-  <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
-  <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
-  <div data-controller="<%= searls_auth_helper.otp_stimulus_controller %>">
-    <%= f.label :short_code, "Code" %>
-    <%= f.text_field :short_code,
-      maxlength: 6,
-      inputmode: "numeric",
-      pattern: "\\d{6}",
-      autocomplete: "one-time-code",
-      title: "six-digit code that was emailed to you",
-      data: searls_auth_helper.otp_field_stimulus_data
-    %>
-  </div>
-  <%= f.submit "Log in" %>
+
+<% if Searls::Auth.config.auth_methods.include?(:email_otp) %>
+  <%= form_with(url: searls_auth.verify_path, method: :post, data: { turbo: searls_auth_helper.enable_turbo? }) do |f| %>
+    <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
+    <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
+    <div data-controller="<%= searls_auth_helper.otp_stimulus_controller %>">
+      <%= f.label :short_code, "Code" %>
+      <%= f.text_field :short_code,
+        maxlength: 6,
+        inputmode: "numeric",
+        pattern: "\\d{6}",
+        autocomplete: "one-time-code",
+        title: "six-digit code that was emailed to you",
+        data: searls_auth_helper.otp_field_stimulus_data
+      %>
+    </div>
+    <%= f.submit "Log in" %>
+  <% end %>
 <% end %>

data/config/routes.rb

@@ -9,4 +9,15 @@ Searls::Auth::Engine.routes.draw do
   get "login/verify", to: "verifications#show", as: :verify
   post "login/verify", to: "verifications#create"
   get "login/verify_token", to: "verifications#create", as: :verify_token
+  match "email/resend_verification", via: [:get, :patch], to: "email_verifications#resend", as: :resend_email_verification
+  get "email/pending_verification", to: "registrations#pending_email_verification", as: :pending_email_verification
+
+  get "email/verify", to: "email_verifications#show", as: :verify_email
+
+  resource :settings, only: [:edit, :update]
+
+  get "password/reset", to: "requests_password_resets#show", as: :password_reset_request
+  post "password/reset", to: "requests_password_resets#create"
+  get "password/reset/edit", to: "resets_passwords#show", as: :password_reset_edit
+  patch "password/reset", to: "resets_passwords#update", as: :password_reset_update
 end

data/lib/searls/auth/authenticates_user.rb

@@ -1,18 +1,23 @@
 module Searls
   module Auth
     class AuthenticatesUser
-      Result = Struct.new(:success?, :user, :exceeded_short_code_attempt_limit?, keyword_init: true)
+      def initialize
+        @parses_time_safely = ParsesTimeSafely.new
+      end
+      Result = Struct.new(:success?, :user, :exceeded_email_otp_attempt_limit?, :email_unverified?, keyword_init: true)
 
-      def authenticate_by_short_code(short_code, session)
-        if session[:searls_auth_short_code_verification_attempts] > Searls::Auth.config.max_allowed_short_code_attempts
-          return Result.new(success?: false, exceeded_short_code_attempt_limit?: true)
+      def authenticate_by_email_otp(email_otp, session)
+        if session[:searls_auth_email_otp_verification_attempts] > Searls::Auth.config.max_allowed_email_otp_attempts
+          return Result.new(success?: false, exceeded_email_otp_attempt_limit?: true)
         end
 
-        if session[:searls_auth_short_code_generated_at].present? &&
-            Time.zone.parse(session[:searls_auth_short_code_generated_at]) > Searls::Auth.config.token_expiry_minutes.minutes.ago &&
-            short_code == session[:searls_auth_short_code] &&
-            (user = Searls::Auth.config.user_finder_by_id.call(session[:searls_auth_short_code_user_id])).present?
-          Searls::Auth.config.after_login_success&.call(user)
+        generated_at_value = session[:searls_auth_email_otp_generated_at]
+        if generated_at_value.present? &&
+            (generated_at = parse_otp_timestamp(generated_at_value)) &&
+            generated_at > email_otp_expiry_cutoff &&
+            email_otp == session[:searls_auth_email_otp] &&
+            (user = Searls::Auth.config.user_finder_by_id.call(session[:searls_auth_email_otp_user_id])).present?
+          Searls::Auth.config.after_login_success.call(user)
           Result.new(success?: true, user: user)
         else
           Result.new(success?: false)
@@ -23,12 +28,51 @@ module Searls
         user = Searls::Auth.config.user_finder_by_token.call(token)
 
         if user.present?
-          Searls::Auth.config.after_login_success&.call(user)
+          Searls::Auth.config.after_login_success.call(user)
+          Result.new(success?: true, user: user)
+        else
+          Result.new(success?: false)
+        end
+      end
+
+      def authenticate_by_password(email, password, session)
+        user = Searls::Auth.config.user_finder_by_email.call(email)
+        return Result.new(success?: false) if user.blank?
+
+        configuration = Searls::Auth.config
+
+        if requires_verification?(configuration) && !configuration.email_verified_predicate.call(user)
+          return Result.new(success?: false, email_unverified?: true)
+        end
+
+        begin
+          ok = configuration.password_verifier.call(user, password)
+        rescue NameError
+          return Result.new(success?: false) # controller will map to misconfiguration message
+        end
+
+        if ok
+          configuration.after_login_success.call(user)
           Result.new(success?: true, user: user)
         else
           Result.new(success?: false)
         end
       end
+
+      private
+
+      def requires_verification?(configuration)
+        configuration.email_verification_mode == :required
+      end
+
+      def email_otp_expiry_cutoff
+        minutes = Searls::Auth.config.email_otp_expiry_minutes
+        Time.zone.now - (minutes * 60)
+      end
+
+      def parse_otp_timestamp(value)
+        @parses_time_safely.parse(value)
+      end
     end
   end
 end

data/lib/searls/auth/builds_target_redirect_url.rb

@@ -0,0 +1,72 @@
+require "uri"
+
+module Searls
+  module Auth
+    class BuildsTargetRedirectUrl
+      def build(request, params)
+        path = normalize_path(params[:redirect_path])
+        host = resolve_host(request, params[:redirect_subdomain])
+
+        if host == request.host && path.present?
+          path
+        elsif host != request.host
+          absolute_url(request, host, path)
+        end
+      end
+
+      private
+
+      def normalize_path(raw)
+        if !raw.nil? && !(v = raw.to_s.strip).empty?
+          v = v.sub(%r{\Ahttps?://[^/?#]+}i, "")
+          "/#{v}".sub(%r{\A/+/}, "/")
+        end
+      end
+
+      def resolve_host(request, subdomain)
+        s = normalize_subdomain(subdomain)
+        cur = request.subdomain.presence
+        return request.host if s.nil? || s == cur || (s == "" && cur.nil?)
+        return root_host(request) || request.host if s == "" && cur
+        base = root_host(request) || request.host
+        "#{s}.#{base}"
+      end
+
+      def normalize_subdomain(raw)
+        return "" if raw.is_a?(String) && raw.strip.empty?
+        if (v = raw.to_s.downcase).present?
+          v if /\A[a-z0-9-]+\z/.match?(v)
+        end
+      end
+
+      def root_host(request)
+        request.domain.presence || begin
+          host = URI.parse(request.base_url).host
+          sub = request.subdomain.to_s
+          if sub.empty?
+            host
+          else
+            pref = "#{sub}."
+            host.start_with?(pref) ? host.delete_prefix(pref) : host
+          end
+        end
+      end
+
+      def absolute_url(request, host, path)
+        uri = URI.parse(request.base_url)
+        uri.host = host
+        if path && !path.empty?
+          m = path.match(/\A([^?#]*)(?:\?([^#]*))?(?:#(.*))?\z/)
+          uri.path = m[1]
+          uri.query = m[2]
+          uri.fragment = m[3]
+        else
+          uri.path = ""
+          uri.query = nil
+          uri.fragment = nil
+        end
+        uri.to_s
+      end
+    end
+  end
+end

data/lib/searls/auth/config.rb

@@ -1,6 +1,26 @@
 module Searls
   module Auth
+    # Numeric config keys coerced to Integer and required to be > 0
+    NUMERIC_FIELDS = [
+      :email_otp_expiry_minutes,
+      :max_allowed_email_otp_attempts
+    ].freeze
+
+    # Core hooks that must always be callable
+    HOOK_FIELDS = [
+      :user_finder_by_email,
+      :user_finder_by_id,
+      :user_finder_by_token,
+      :user_initializer,
+      :token_generator,
+      :email_verified_predicate,
+      :email_verified_setter,
+      :validate_registration,
+      :after_login_success
+    ].freeze
     Config = Struct.new(
+      :auth_methods, # array of symbols, e.g., [:email_link, :email_otp]
+      :email_verification_mode, # :none, :optional, :required
       # Data setup
       :user_finder_by_email, # proc(email)
       :user_finder_by_id, # proc(id)
@@ -8,28 +28,44 @@ module Searls
       :user_initializer, # proc(params)
       :user_name_method, # string
       :token_generator, # proc()
-      :token_expiry_minutes, # integer
+      :password_verifier, # proc(user, password)
+      :password_setter, # proc(user, password)
+      :password_reset_token_generator, # proc(user)
+      :password_reset_token_finder, # proc(token)
+      :before_password_reset, # proc(user, params, controller)
+      :password_reset_enabled, # boolean
+      :email_verified_predicate, # proc(user)
+      :email_verified_setter, # proc(user, time = Time.current)
+      :password_present_predicate, # proc(user)
       # Controller setup
       :preserve_session_keys_after_logout, # array of symbols
-      :max_allowed_short_code_attempts, # integer
+      :max_allowed_email_otp_attempts, # integer (email OTP attempts)
+      :email_otp_expiry_minutes, # integer
       # View setup
       :layout, # string
       :login_view, # string
       :register_view, # string
       :verify_view, # string
+      :pending_email_verification_view, # string
+      :password_reset_request_view, # string
+      :password_reset_edit_view, # string
       :mail_layout, # string
       :mail_login_template_path, # string
       :mail_login_template_name, # string
+      :mail_password_reset_template_path, # string
+      :mail_password_reset_template_name, # string
+      :mail_email_verification_template_path, # string
+      :mail_email_verification_template_name, # string
       # Routing setup
       :redirect_path_after_register, # string or proc(user, params, request, routes), all new registrations redirect here
-      :default_redirect_path_after_login, # string or proc(user, params, request, routes), only redirected here if redirect_path param not set
+      :redirect_path_after_login, # string or proc(user, params, request, routes), only redirected here if redirect_path param not set
+      :redirect_path_after_settings_change, # string or proc(user, params, request, routes), post-settings updates redirect here
       # Hook setup
       :validate_registration, # proc(user, params, errors = []), must return an array of error messages where empty means valid
       :after_login_success, # proc(user)
       # Branding setup
       :app_name, # string
       :app_url, # string
-      :support_email_address, # string
       :email_banner_image_path, # string
       :email_background_color, # string
       :email_button_color, # string
@@ -38,19 +74,219 @@ module Searls
       :flash_error_after_register_attempt, # string or proc(error_messages, login_path, params)
       :flash_notice_after_login_attempt, # string or proc(user, params)
       :flash_error_after_login_attempt_unknown_email, # string or proc(register_path, params)
+      :flash_error_after_login_attempt_invalid_password, # string or proc(params)
+      :flash_error_after_login_attempt_unverified_email, # string or proc(resend_email_verification_path, params)
+      :flash_notice_after_login_with_unverified_email, # string or proc(resend_email_verification_path, params)
+      :flash_error_after_password_misconfigured, # string or proc(params)
+      :flash_error_after_password_reset_token_invalid, # string or proc(params)
+      :flash_error_after_password_reset_password_mismatch, # string or proc(params)
+      :flash_error_after_password_reset_password_blank, # string or proc(params)
+      :flash_error_after_password_reset_not_enabled, # string or proc(params)
       :flash_notice_after_logout, # string or proc(params)
-      :flash_notice_after_verification, # string or proc(user, params)
+      :flash_notice_after_login, # string or proc(user, params)
+      :flash_notice_after_verification_email_resent, # string or proc(params)
+      :flash_notice_after_email_verified, # string or proc(user, params)
+      :flash_notice_after_password_reset_email, # string or proc(params)
+      :flash_notice_after_password_reset, # string or proc(user, params)
       :flash_error_after_verify_attempt_exceeds_limit, # string or proc(params)
-      :flash_error_after_verify_attempt_incorrect_short_code, # string or proc(params)
+      :flash_error_after_verify_attempt_incorrect_email_otp, # string or proc(params)
       :flash_error_after_verify_attempt_invalid_link, # string or proc(params)
+      :flash_notice_after_settings_update, # string or proc(user, params)
+      :flash_error_after_settings_current_password_missing, # string or proc(params)
+      :flash_error_after_settings_current_password_invalid, # string or proc(params)
+      :auto_login_after_password_reset, # boolean
       keyword_init: true
     ) do
       # Get values from values that might be procs
       def resolve(option, *args)
-        if self[option].respond_to?(:call)
-          self[option].call(*args)
-        else
-          self[option]
+        key = option.to_sym
+        value = public_send(key)
+        value.respond_to?(:call) ? value.call(*args) : value
+      end
+
+      def password_reset_enabled?
+        auth_methods.include?(:password) && password_reset_enabled
+      end
+
+      def password_present?(user)
+        predicate = password_present_predicate
+        return false if predicate.nil?
+
+        predicate.call(user)
+      end
+
+      def validate!
+        validate_auth_methods!
+        validate_email_verification_mode!
+        validate_numeric_options!
+        validate_core_hooks!
+        validate_password_settings!
+        validate_default_user_hooks!
+      rescue => e
+        unless [
+          "PG::UndefinedTable",
+          "ActiveRecord::NoDatabaseError",
+          "ActiveRecord::StatementInvalid"
+        ].include?(e.class.inspect)
+          # don't validate when connection isn't esstablished
+          raise
+        end
+      end
+
+      private
+
+      def validate_auth_methods!
+        normalized = Array(auth_methods).map(&:to_sym)
+        self.auth_methods = normalized
+        allowed = [:password, :email_link, :email_otp]
+        raise Searls::Auth::Error, "auth_methods cannot be empty; enable at least one of :password, :email_link, or :email_otp" if normalized.empty?
+        unknown = normalized - allowed
+        if unknown.any?
+          raise Searls::Auth::Error, "Unknown auth_methods: #{unknown.inspect}. Allowed: #{allowed.inspect}"
+        end
+      end
+
+      def validate_email_verification_mode!
+        mode_value = email_verification_mode
+        mode = mode_value.respond_to?(:to_sym) ? mode_value.to_sym : :none
+        self.email_verification_mode = mode
+        auth_methods
+        # Allow email verification regardless of email auth methods; verification emails are separate
+      end
+
+      def validate_password_settings!
+        methods = auth_methods
+        return unless methods.include?(:password)
+
+        using_default_hooks =
+          password_verifier.equal?(Searls::Auth::DEFAULT_CONFIG[:password_verifier]) &&
+          password_setter.equal?(Searls::Auth::DEFAULT_CONFIG[:password_setter])
+
+        if using_default_hooks && defined?(::User)
+          missing = []
+          missing << "User#authenticate" unless ::User.method_defined?(:authenticate)
+          has_password_digest_method = ::User.method_defined?(:password_digest)
+          has_password_digest_column = ::User.respond_to?(:column_names) && ::User.column_names.include?("password_digest")
+          missing << "users.password_digest" unless has_password_digest_method || has_password_digest_column
+          if missing.any?
+            raise Searls::Auth::Error, "Password login requires #{missing.join(" and ")}. Add bcrypt/has_secure_password or override password hooks."
+          end
+        end
+
+        ensure_callable!(:password_reset_token_generator)
+        ensure_callable!(:password_reset_token_finder)
+        ensure_callable!(:before_password_reset)
+        ensure_callable!(:password_present_predicate)
+        self.auto_login_after_password_reset = !!auto_login_after_password_reset
+        self.password_reset_enabled = true if password_reset_enabled.nil?
+        self.password_reset_enabled = !!password_reset_enabled
+      end
+
+      def validate_numeric_options!
+        NUMERIC_FIELDS.each do |key|
+          raw = public_send(key)
+          coerced = begin
+            Integer(raw)
+          rescue ArgumentError, TypeError
+            raise Searls::Auth::Error, "#{key} must be an integer"
+          end
+          if coerced < 1
+            raise Searls::Auth::Error, "#{key} must be >= 1"
+          end
+          public_send("#{key}=", coerced)
+        end
+      end
+
+      def validate_core_hooks!
+        HOOK_FIELDS.each { |key| ensure_callable!(key) }
+      end
+
+      def ensure_callable!(key)
+        value = public_send(key)
+        return if value.respond_to?(:call)
+
+        raise Searls::Auth::Error, "#{key} must be callable when password authentication is enabled"
+      end
+
+      def ensure_callable_optional!(key)
+        value = public_send(key)
+        return if value.nil? || value.respond_to?(:call)
+
+        raise Searls::Auth::Error, "#{key} must be callable when provided"
+      end
+
+      # If any hooks still reference the default `User` implementation, make
+      # sure a compatible `User` exists and exposes the fields/methods our
+      # defaults assume (id, email, token helpers, etc.).
+      def validate_default_user_hooks!
+        hooks_pointing_at_user = [
+          :user_finder_by_email,
+          :user_finder_by_id,
+          :user_finder_by_token,
+          :user_initializer,
+          :token_generator
+        ].select { |k| public_send(k).equal?(Searls::Auth::DEFAULT_CONFIG[k]) }
+
+        return if hooks_pointing_at_user.empty?
+
+        # Enforce these checks only when ActiveModel is present (e.g., Rails).
+        return unless defined?(::ActiveModel)
+
+        unless defined?(::User)
+          raise Searls::Auth::Error,
+            "Default hooks assume a `User` model. Define `User` (Active Record/Active Model) or override: #{hooks_pointing_at_user.inspect}"
+        end
+
+        # Proceed with concrete, per-hook capability checks.
+
+        # One-off validations for each default hook
+        if public_send(:user_finder_by_id).equal?(Searls::Auth::DEFAULT_CONFIG[:user_finder_by_id])
+          unless ::User.respond_to?(:find_by)
+            raise Searls::Auth::Error, "Default :user_finder_by_id expects User.find_by(id: ...) to exist."
+          end
+          unless ::User.method_defined?(:id)
+            raise Searls::Auth::Error, "Default :user_finder_by_id expects a `User#id` attribute."
+          end
+        end
+
+        if public_send(:user_finder_by_email).equal?(Searls::Auth::DEFAULT_CONFIG[:user_finder_by_email])
+          unless ::User.respond_to?(:find_by)
+            raise Searls::Auth::Error, "Default :user_finder_by_email expects User.find_by(email: ...) to exist."
+          end
+          has_email_method = ::User.method_defined?(:email)
+          has_email_column = ::User.respond_to?(:column_names) && ::User.column_names.include?("email")
+          unless has_email_method || has_email_column
+            raise Searls::Auth::Error, "Default :user_finder_by_email expects a `users.email` attribute."
+          end
+        end
+
+        if public_send(:user_finder_by_token).equal?(Searls::Auth::DEFAULT_CONFIG[:user_finder_by_token])
+          unless ::User.respond_to?(:find_by_token_for)
+            raise Searls::Auth::Error, "Default :user_finder_by_token expects User.find_by_token_for(:email_auth, token) (Rails signed_id API)."
+          end
+        end
+
+        if public_send(:user_initializer).equal?(Searls::Auth::DEFAULT_CONFIG[:user_initializer])
+          unless ::User.respond_to?(:new)
+            raise Searls::Auth::Error, "Default :user_initializer expects `User.new(email: ...)` to work."
+          end
+          begin
+            probe = ::User.new
+            has_email_setter = probe.respond_to?(:email=)
+            has_email_column = ::User.respond_to?(:column_names) && ::User.column_names.include?("email")
+            unless has_email_setter || has_email_column
+              raise Searls::Auth::Error, "Default :user_initializer expects a writable email attribute on User."
+            end
+          rescue ArgumentError
+            # e.g., custom initialize signature
+            raise Searls::Auth::Error, "Default :user_initializer expects `User.new` with keyword args to be permissible."
+          end
+        end
+
+        if public_send(:token_generator).equal?(Searls::Auth::DEFAULT_CONFIG[:token_generator])
+          unless ::User.method_defined?(:generate_token_for)
+            raise Searls::Auth::Error, "Default :token_generator expects `user.generate_token_for(:email_auth)` (Rails signed_id API)."
+          end
         end
       end
     end

data/lib/searls/auth/creates_user.rb

@@ -11,13 +11,21 @@ module Searls
           Searls::Auth.config.user_initializer.call(params)
 
         if user.persisted?
-          Result.new(nil, false, ["An account already exists for that email address. <a href=\"#{login_path(**forwardable_params(params))}\">Log in</a> instead?".html_safe])
+          Result.new(nil, false, ["An account already exists for that email address. <a href=\"#{login_path(**forwardable_params(params))}\">Log in</a> instead?"])
         elsif (errors = Searls::Auth.config.validate_registration.call(user, params, [])).any?
           Result.new(nil, false, errors)
-        elsif user.save
-          Result.new(user, true)
         else
-          Result.new(user, false, simplified_error_messages(user))
+          if params[:password].present?
+            Searls::Auth.config.password_setter.call(user, params[:password])
+            if params[:password_confirmation].present? && user.respond_to?(:password_confirmation=)
+              user.password_confirmation = params[:password_confirmation]
+            end
+          end
+          if user.save
+            Result.new(user, true)
+          else
+            Result.new(user, false, simplified_error_messages(user))
+          end
         end
       end