How to create a correct registration process? #4540

exeshka · 2026-01-07T08:41:01Z

exeshka
Jan 7, 2026

Hi everyone,
I’ve just started learning Serverpod, and I’ve run into some issues with authentication — mainly because I haven’t been able to find up-to-date information on how to work with the latest version.
Could you please advise on the correct way to approach my task?
I need to ensure that when a user signs in, we also create a corresponding user record in our own database.
So far, I’ve only come up with the following solution, but I’m not sure if it’s the right approach:

import 'package:serverpod/src/server/session.dart';
import 'package:serverpod_auth_idp_server/providers/email.dart';
import 'package:uuid/Uuid_value.dart';
import 'package:zone_movie_backend_server/src/modules/user/user_endpoint.dart';

class EmailIdpEndpoint extends EmailIdpBaseEndpoint {
  @override
  Future<UuidValue> startRegistration(
    Session session, {
    required String email,
  }) async {
    await UserEndpoint().createNewUser(session, email);

    return super.startRegistration(session, email: email);
  }
}

import 'dart:io';

import 'package:serverpod/serverpod.dart';
import 'package:serverpod_auth_idp_server/core.dart';
import 'package:serverpod_auth_idp_server/providers/email.dart';

import 'src/generated/endpoints.dart';
import 'src/generated/protocol.dart';

void run(List<String> args) async {
  final pod = Serverpod(
    args,
    Protocol(),
    Endpoints(),
  );

  pod.initializeAuthServices(
    tokenManagerBuilders: [
      JwtConfigFromPasswords(),
      ServerSideSessionsConfigFromPasswords(),
    ],
    identityProviderBuilders: [
      EmailIdpConfigFromPasswords(
        sendRegistrationVerificationCode: (
          session, {
          required accountRequestId,
          required email,
          required transaction,
          required verificationCode,
        }) {
          print(verificationCode);
        },
        sendPasswordResetVerificationCode: (
          session, {
          required email,
          required passwordResetRequestId,
          required transaction,
          required verificationCode,
        }) {
          print(verificationCode);
        },
      ),
    ],
  );

  await pod.start();
}

import 'package:serverpod/serverpod.dart';
import 'package:zone_movie_backend_server/src/generated/protocol.dart';

class UserEndpoint extends Endpoint {
  Future<User?> getUserByEmail(Session session, String email) async {
    final user = await User.db.findFirstRow(
      session,
      where: (user) => user.email.equals(email),
    );
    return user;
  }

  Future<User> createNewUser(Session session, String email) async {
    final existing = await getUserByEmail(session, email);
    if (existing != null) {
      throw Exception("email already used");
    }

    final user = User(
      userCompletedProfile: false,
      username: "",
      email: email,
      createdAt: DateTime.now(),
      updatedAt: DateTime.now(),
      isActive: false,
      role: UserRole.user,
      lastLogin: DateTime.now(),
    );

    var createdUser = await User.db.insertRow(session, user);

    final baseNickname = 'nickname_${user.id}';

    createdUser = await User.db.updateRow(
      session,
      createdUser.copyWith(
        username: baseNickname,
        updatedAt: DateTime.now(),
      ),
    );

    return createdUser;
  }
}

Also, how can I extend the authentication flow — for example, to support login using a username + password instead of only email?
I’m finding this system a bit difficult to understand. I previously worked with Node.js, and things there were structured very differently.

gkhnysl · 2026-01-08T16:14:52Z

gkhnysl
Jan 8, 2026

Draft Response (Copy & Paste):

Hi there! Welcome to the Serverpod community. Moving from Node.js can be a paradigm shift, but once you get used to the "Serverpod way," it becomes very powerful.

The approach you implemented by overriding startRegistration is not recommended. Why? startRegistration triggers before the user has verified their email (when they request the verification code). If you create your custom User record there, you will end up with "Ghost Users" in your database—people who requested a code but never actually completed the sign-up.

The Correct Approach: Use AuthConfig Hooks
In Serverpod, we don't usually modify the IDP endpoints directly. Instead, we configure the AuthConfig to listen for successful events.

You want to create your custom user record only after the user is fully verified and the core UserInfo has been created by Serverpod.

Modify your run function (usually in server.dart) to set up the AuthConfig with an onUserCreated callback.

Here is the implementation:

Dart

// inside bin/main.dart (or wherever your run function is)

void run(List args) async {
// ... pod initialization ...

// 1. Configure the Auth Hooks BEFORE initializing auth services
AuthConfig.set(AuthConfig(
onUserCreated: (session, userInfo) async {
// This callback runs AUTOMATICALLY after email verification is successful
// and the Serverpod UserInfo has been created.

  try {
    // Create your custom User record here, linking it to the auth system.
    // It is best practice to link them via the userInfo.id
    final customUser = User(
      userInfoId: userInfo.id, // Add this field to your model to link them
      email: userInfo.email ?? '',
      username: 'user_${userInfo.id}', // Generate a temp username
      createdAt: DateTime.now(),
      role: UserRole.user,
      isActive: true, 
    );

    await User.db.insertRow(session, customUser);
    
    session.log("Custom user record synced for User ID: ${userInfo.id}");
  } catch (e) {
    session.log("Failed to sync custom user: $e", level: LogLevel.error);
  }
},

));

// 2. Initialize Auth Services (Your existing code)
pod.initializeAuthServices(
// ... your existing builders
);

await pod.start();
}
Why this is better:

Data Integrity: You only create records for verified, real users.

Separation of Concerns: Your Auth logic (Serverpod) stays separate from your Business logic (Your Custom User Table).

Regarding Username + Password Login
The built-in EmailIdp is strictly opinionated for Email/Password flows.

If you strictly require Username + Password login:

Don't try to hack EmailIdp: It validates email formats.

Create a Custom Endpoint: Since you are coming from Node.js, think of this as writing a custom Controller.

Create a LoginEndpoint.

Accept username and password.

Find the user in your DB by username.

Validate the password hash manually (Serverpod has PasswordManager utilities you can use).

Manually create a session using session.auth.signInUser(...).

However, for a smoother start, I highly recommend sticking to Email + Password as the primary identifier, as it simplifies security significantly.

Hope this helps!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to create a correct registration process? #4540

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to create a correct registration process? #4540

Uh oh!

exeshka Jan 7, 2026

Replies: 1 comment

Uh oh!

gkhnysl Jan 8, 2026

exeshka
Jan 7, 2026

gkhnysl
Jan 8, 2026