Extend Castle integration across the full user lifecycle#20
Merged
Conversation
Build on the existing login/logout/profile wiring so every authentication touch-point is instrumented and carries a browser-minted request token. - score sign-ups with the risk endpoint ($registration); a deny verdict rolls the registration back, mirroring the login flow, and invalid attempts are reported to filter - add a post-login custom event ($custom) from the profile page - forward the castle.js request token on the sign-up, profile-update, custom event and logout forms (logout becomes a small form so it can mint a token) - update the home page copy and readme; specs for the new and changed paths
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
The app already scored login (risk/filter), and logged logout and profile updates. This extends Castle coverage to the rest of the user lifecycle so the example mirrors a real end-to-end integration, and makes sure every Castle-bound form carries a request token minted in the browser by
castle.js.Changes
$registration→risk). Adenyverdict rolls the registration back (mirroring the login flow); invalid attempts are reported tofilter.$custom) is available from the profile page, once signed in.castle_request_token. Logout becomes a smallbutton_toform so it too can mint a token.Known limitations
:recoverableis not enabled in this demo, so the existing "edit password" screen is left as-is rather than instrumented as a Castle$password_resetevent.logendpoint, so they are fire-and-forget and not verdict-driven.