Interesting "Phantom Login" when customizing create_account page and removing login-confirm and password-confirm

[lukestuts]

I added a custom page for create_account as follows:

<h1>Create Account</h1>
<form method="post" class="rodauth" role="form" id="create-account-form">
  
<%= MyRodauth.csrf_tag("/create-account") %>  

<div class="form-group mb-3">
  <label for="login" class="form-label">Login</label>
  <input autocomplete="email" required="required" type="email" class="form-control" name="login" id="login" value=""/> 
</div>

<div class="form-group mb-3">
  <label for="login-confirm" class="form-label">Confirm Login</label>
  <input autocomplete="email" required="required" type="email" class="form-control" name="login-confirm" id="login-confirm" value=""/> 
</div>

<div class="form-group mb-3">
  <label for="password" class="form-label">Password</label>
  <input autocomplete="new-password" required="required" type="password" class="form-control" name="password" id="password" value=""/> 
</div>

<div class="form-group mb-3">
  <label for="password-confirm" class="form-label">Confirm Password</label>
  <input autocomplete="new-password" required="required" type="password" class="form-control" name="password-confirm" id="password-confirm" value=""/> 
</div>

<div class="form-group mb-3">
  <input type="submit" class="btn btn-primary" value="Create Account"/>
</div>

</form>

I then removed the login-confirm and password-confirm inputs because they were slowing me down. I did this as follows:

<h1>Create Account</h1>
<form method="post" class="rodauth" role="form" id="create-account-form">
  
<%= MyRodauth.csrf_tag("/create-account") %>  

<div class="form-group mb-3">
  <label for="login" class="form-label">Login</label>
  <input autocomplete="email" required="required" type="email" class="form-control" name="login" id="login" value=""/> 
</div>

<div class="form-group mb-3">
  <label for="password" class="form-label">Password</label>
  <input autocomplete="new-password" required="required" type="password" class="form-control" name="password" id="password" value=""/> 
</div>

<div class="form-group mb-3">
  <input type="submit" class="btn btn-primary" value="Create Account"/>
</div>

</form>

Using this custom create_account page, I found that I could "create" an account that never made it into the database. I was logged in as the new account and my site worked fine, but the account never made it in to postgres. After I logged out, I was no longer able to log in as this new account (because it never made it into the database) but I could "create" it on demand.

I was unable to see any errors or failures reported when I did this.

Restoring the login-confirm and password-confirm inputs fixed the problem, but I think this could have interesting possibilities if a user can create a session with an account that is never persisted?

[jeremyevans]

If you are requiring login configuration and password configuration, and the confirmation values do not match, those are treated as errors well before anything is saved to the database or the session is updated.

Hard to know what is going wrong in your application, but you would at least need to post a self-contained minimal example. Most import would be your Rodauth configuration.

[lukestuts]

Thanks Jeremy I will endeavour to get this online. It's the same Sinatra approach with a Roda middleware.