Authentication Actions

These actions are used on custom login, registration, verification, reset, and magic-link pages.

Added in BetterForms 3.4.x: passwordless magic-link support via authMagicRequest and token-based authLogin.

• authLogin - Signs the user in with email/password or a magic-link token

• authLogout - Signs the user out

• authReset - Completes a password reset

• authForgot - Requests a password-reset email

• authMagicRequest - Requests a passwordless magic sign-in link

• _authVerify _ - Verifies the email-verification token

• authResend - Resends the email-verification token

• authRegister - Registers a user and, on success, runs onRegistration

These actions do not take custom options, but several require specific model keys such as email, password, or a token delivered in the URL.

If these values are required, add field validation and run a validate action before the authentication action.

The authRegister action does not require 2 password fields. If you want the user to enter their password twice before creating an account, you should create a custom validator that checks if the password key also matches some other password2 key.

The authReset action doesn't require an email field, but it does require a valid token in the URL. The token is generated and appended automatically when you run authForgot.

Similarly, authVerify only checks for the verification token in the URL. It is usually run in onFormLoad because users arrive from an email link.

The authMagicRequest action requires an email key in the model and sends a one-time sign-in link through onAuthNotifier. It is typically used on the page where the user enters their email address.

The authLogin action can now work in two modes:

• Email/password login using email and password

• Magic-link login using token in the model or URL

For magic-link pages, it is common to run authLogin in onFormLoad after the user lands on a page with ?token=.... When a token is present, authLogin redeems that magic link token instead of attempting a normal email/password login.

Auth Feedback

Authentication pages can read feedback from:

• model.authMessage

• model.authMessageCode

• model.authMessageType

• BF.authGetLastFeedback()

For new pages, prefer auth.* codes over parsing the English message text. For UI examples and patterns, see Custom Login Pages and BF Utility Functions.

Security note:

• Default auth UI should avoid confirming whether a specific email/account exists.

• For request/initiation flows such as magic-link request or password reset request, prefer existence-blind messages such as "If that email is registered..." or "If that email can be used to sign in...".