Ash Authentication redirecting to wrong route on failure

tegmentum · May 2, 2024, 1:51pm

I followed the tutorial to setup Ash Authentication.

I have the following:

router.ex

...
  scope "/", WfdBaseWeb do
    pipe_through :browser

    get "/", PageController, :home

    sign_in_route(on_mount: [{WfdBaseWeb.LiveUserAuth, :live_no_user}])
    sign_out_route AuthController

    auth_routes_for WfdBase.Accounts.User, to: AuthController
    reset_route []

    ash_authentication_live_session :authentication_optional,
      on_mount: {WfdBaseWeb.LiveUserAuth, :live_user_optional} do
      live "/app", App
    end
...
  end

The helper for liveview:

defmodule WfdBaseWeb.LiveUserAuth do
  @moduledoc """
  Helpers for authenticating users in LiveViews.
  """

  import Phoenix.Component
  use WfdBaseWeb, :verified_routes

  def on_mount(:live_user_optional, _params, _session, socket) do
    if socket.assigns[:current_user] do
      {:cont, socket}
    else
      {:cont, assign(socket, :current_user, nil)}
    end
  end

  def on_mount(:live_user_required, _params, _session, socket) do
    if socket.assigns[:current_user] do
      {:cont, socket}
    else
      {:halt, Phoenix.LiveView.redirect(socket, to: ~p"/sign-in")}
    end
  end

  def on_mount(:live_no_user, _params, _session, socket) do
    if socket.assigns[:current_user] do
      {:halt, Phoenix.LiveView.redirect(socket, to: ~p"/")}
    else
      {:cont, assign(socket, :current_user, nil)}
    end
  end
end

My controller:

defmodule WfdBaseWeb.AuthController do
  use WfdBaseWeb, :controller
  use AshAuthentication.Phoenix.Controller

  def success(conn, _activity, user, _token) do
    return_to = get_session(conn, :return_to) || ~p"/app"

    conn
    |> delete_session(:return_to)
    |> store_in_session(user)
    |> assign(:current_user, user)
    |> redirect(to: return_to)
  end

  def failure(conn, _activity, _reason) do
    conn
    |> put_status(401)
    |> render("failure.html")
  end

  def sign_out(conn, _params) do
    return_to = get_session(conn, :return_to) || ~p"/"

    conn
    |> clear_session()
    |> redirect(to: return_to)
  end
end

And my failure markup file at lib/wfd_base_web/controllers/auth_html/failure.html.heex

Signing in with a existing user and correct credentials works fine and redirects to /app as I expect.

The problem is that when I submit wrong credentials, I still get redirected to /app, which is not right, I expect a redirect to failure.html

Looking at /routes, there is no route for the failure page, is that expected ? how is this usually handled ?

Is there documentation on how to do this ?

zachdaniel · May 2, 2024, 2:08pm

You shouldn’t need a route for that, no. Although TBH you typically don’t want to use that failure.html pattern, you’d typically redirect back with a flash message.

Can you see if the failure/3 callback or success/4 callback is being invoked when you use the incorrect credentials? When you say it redirects to /app is it redirecting you with a logged in user? with no logged in user?

tegmentum · May 2, 2024, 3:18pm

Hyey Zach, thanks for getting back to me!

The failure/3 gets called actually.

  def failure(conn, _activity, _reason) do
    conn
    |> put_status(401)
    |> render("failure.html")
  end

this is the output from inspecting the conn

%AshAuthentication.Errors.AuthenticationFailed{
        field: nil,
        strategy: %AshAuthentication.Strategy.Password{
          confirmation_required?: true,
          hash_provider: AshAuthentication.BcryptProvider,
          hashed_password_field: :hashed_password,
          identity_field: :email,
          name: :password,
          password_confirmation_field: :password_confirmation,
          password_field: :password,
          provider: :password,
          register_action_accept: [],
          register_action_name: :register_with_password,
          registration_enabled?: true,
          resettable: nil,
          resource: WfdBase.Accounts.User,
          sign_in_action_name: :sign_in_with_password,
          sign_in_enabled?: true,
          sign_in_token_lifetime: {60, :seconds},
          sign_in_tokens_enabled?: false,
          sign_in_with_token_action_name: :sign_in_with_token_for_password,
          strategy_module: AshAuthentication.Strategy.Password
        },
        caused_by: %Ash.Error.Forbidden{
          errors: [
            %AshAuthentication.Errors.AuthenticationFailed{
              field: nil,
              strategy: %AshAuthentication.Strategy.Password{
                confirmation_required?: true,
                hash_provider: AshAuthentication.BcryptProvider,
                hashed_password_field: :hashed_password,
                identity_field: :email,
                name: :password,
                password_confirmation_field: :password_confirmation,
                password_field: :password,
                provider: :password,
                register_action_accept: [],
                register_action_name: :register_with_password,
                registration_enabled?: true,
                resettable: nil,
                resource: WfdBase.Accounts.User,
                sign_in_action_name: :sign_in_with_password,
                sign_in_enabled?: true,
                sign_in_token_lifetime: {60, :seconds},
                sign_in_tokens_enabled?: false,
                sign_in_with_token_action_name: :sign_in_with_token_for_password,
                strategy_module: AshAuthentication.Strategy.Password
              },
              caused_by: %{
                message: "Query returned no users",
                module: AshAuthentication.Strategy.Password.SignInPreparation,
                strategy: %AshAuthentication.Strategy.Password{
                  confirmation_required?: true,
                  hash_provider: AshAuthentication.BcryptProvider,
                  hashed_password_field: :hashed_password,
                  identity_field: :email,
                  name: :password,
                  password_confirmation_field: :password_confirmation,
                  password_field: :password,
                  provider: :password,
                  register_action_accept: [],
                  register_action_name: :register_with_password,
                  registration_enabled?: true,
                  resettable: nil,
                  resource: WfdBase.Accounts.User,
                  sign_in_action_name: :sign_in_with_password,
                  sign_in_enabled?: true,
                  sign_in_token_lifetime: {60, ...},
                  sign_in_tokens_enabled?: false,
                  ...
                },
                action: :sign_in
              },
              changeset: nil,
              query: #Ash.Query<
                resource: WfdBase.Accounts.User,
                arguments: %{
                  password: "**redacted**",
                  email: #Ash.CiString<"asd@gmail.com">
                },
                filter: #Ash.Filter<email == #Ash.CiString<"asd@gmail.com">>,
                select: [:hashed_password, :id, :email]
              >,
              error_context: [],
              vars: [],
              path: [],
              stacktrace: #Stacktrace<>,
              class: :forbidden
            }
          ],
          changeset: nil,
          query: #Ash.Query<
            resource: WfdBase.Accounts.User,
            arguments: %{
              password: "**redacted**",
              email: #Ash.CiString<"asd@gmail.com">
            },
            filter: #Ash.Filter<email == #Ash.CiString<"asd@gmail.com">>,
            errors: [
              %AshAuthentication.Errors.AuthenticationFailed{
                field: nil,
                strategy: %AshAuthentication.Strategy.Password{
                  confirmation_required?: true,
                  hash_provider: AshAuthentication.BcryptProvider,
                  hashed_password_field: :hashed_password,
                  identity_field: :email,
                  name: :password,
                  password_confirmation_field: :password_confirmation,
                  password_field: :password,
                  provider: :password,
                  register_action_accept: [],
                  register_action_name: :register_with_password,
                  registration_enabled?: true,
                  resettable: nil,
                  resource: WfdBase.Accounts.User,
                  sign_in_action_name: :sign_in_with_password,
                  sign_in_enabled?: true,
                  sign_in_token_lifetime: {60, :seconds},
                  sign_in_tokens_enabled?: false,
                  sign_in_with_token_action_name: :sign_in_with_token_for_password,
                  strategy_module: AshAuthentication.Strategy.Password
                },
                caused_by: %{
                  message: "Query returned no users",
                  module: AshAuthentication.Strategy.Password.SignInPreparation,
                  strategy: %AshAuthentication.Strategy.Password{
                    confirmation_required?: true,
                    hash_provider: AshAuthentication.BcryptProvider,
                    hashed_password_field: :hashed_password,
                    identity_field: :email,
                    name: :password,
                    password_confirmation_field: :password_confirmation,
                    password_field: :password,
                    provider: :password,
                    register_action_accept: [],
                    register_action_name: :register_with_password,
                    registration_enabled?: true,
                    resettable: nil,
                    resource: WfdBase.Accounts.User,
                    sign_in_action_name: :sign_in_with_password,
                    sign_in_enabled?: true,
                    ...
                  },
                  action: :sign_in
                },
                changeset: nil,
                query: #Ash.Query<
                  resource: WfdBase.Accounts.User,
                  arguments: %{
                    password: "**redacted**",
                    email: #Ash.CiString<"asd@gmail.com">
                  },
                  filter: #Ash.Filter<email == #Ash.CiString<"asd@gmail.com">>,
                  select: [:hashed_password, :id, :email]
                >,
                error_context: [],
                vars: [],
                path: [],
                stacktrace: #Stacktrace<>,
                class: :forbidden
              }
            ],
            select: [:id, :email, :hashed_password]
          >,
          error_context: [nil],
          vars: [],
          path: [],
          stacktrace: #Stacktrace<>,
          class: :forbidden
        },
        changeset: nil,
        query: nil,
        error_context: [],
        vars: [],
        path: [],
        stacktrace: #Stacktrace<>,
        class: :forbidden
      }
    ],

So the user is actually not found, and i’m redirected wit no user …

zachdaniel · May 2, 2024, 3:38pm

I’m confused why a redirect would be happening. If you’re getting to that failure handler, it shouldn’t redirect at all.

tegmentum · May 2, 2024, 3:54pm

Maybe ‘redirect’ is the wrong word.

The url becomes: /auth/user/password/sign_in,

but the template for app.html.heex is what i see in the browser.

zachdaniel · May 2, 2024, 4:11pm

Hmmmmm…that sounds pretty strange. Not sure what’s up. Ultimately what the failure handler does is up to you though. Here is one from one of my apps.

  @impl true
  def failure(
        conn,
        {:password, :sign_in},
        %AshAuthentication.Errors.AuthenticationFailed{}
      ) do
    conn
    |> put_flash(
      :error,
      "Username or password is incorrect"
    )
    |> redirect(to: "/sign-in")
  end

  def failure(conn, activity, reason) do
    stacktrace =
      case reason do
        %{stacktrace: %{stacktrace: stacktrace}} -> stacktrace
        _ -> nil
      end

    Logger.error("""
    Something went wrong in authentication

    activity: #{inspect(activity)}

    reason: #{Exception.format(:error, reason, stacktrace || [])}
    """)

    conn
    |> put_flash(
      :error,
      "Something went wrong"
    )
    |> redirect(to: "/sign-in")
  end

tegmentum · May 2, 2024, 4:16pm

That helps a lot, thank you for this.

I would say that should be in the docs somewhere, just to communicate it to readers, and open tell them where Ash’s involvement stops. I was really expecting some “magic” to happen. I wouldn’t mind opening a PR to update the docs (if that’s a thing).

Thanks again!

zachdaniel · May 2, 2024, 4:29pm

Definitely open to it! I’d actually like to change the docs to remove the failure.html concept and instead show basically what I pasted to you

kurmetaubanov · May 3, 2024, 9:26pm

hi @zachdaniel

i was having almost the same issue when sign-in tokens were enabled, sign-in form never called failure callback, it just rendered sign in form again without any failure messages

to draw a failure message I had to disable sign-in tokens for now.

What is interesting, can we keep identity_name filled on failure? on redirect to /sign-in it is cleared

zachdaniel · May 3, 2024, 9:48pm

So the sign in tokens allow for a “refresh-less” LV experience, but typically there would be logs for unhandled errors in forms. Do you see a log message telling you about unhandled errors?

kurmetaubanov · May 3, 2024, 10:22pm

No, last thing I see is Sign In Form handles “submit” event when tokens signin are enabled and no error log. Zach, could you point me where I can add put_flash error message on refresh-less liveview sign-in experience please

zachdaniel · May 3, 2024, 10:40pm

You can’t use put_flash when using the sign_in tokens, if the failure was a “normal” failure. What I mean by this is that the sign in action submits the form and shows any errors, and if there were things like validation errors or anything standard like that, it just displays them. Is your log level configured low enough? Try setting it to debug to see if any errors come through. Otherwise, you can turn off sign_in_tokens and see what the failure is, which it sounds like you did.

What failure are you seeing? I’m not sure what you mean about identity_name, but @jimsynz might be able to give you pointers on that front. What do you need the identity_name for? What is the nature of the failure?

kurmetaubanov · May 3, 2024, 10:50pm

identity_name for my project is just username field, not email.

I have turned on debug_authentication_failures and I get two warnings with details

[warning] Authentication failed: Password is not valid
Details: %AshAuthentication.Errors.AuthenticationFailed{
...}

and

[warning] Authentication failed: Forbidden

*Authentication failed
Details: %AshAuthentication.Errors.AuthenticationFailed{
... }

i have also tried this overrides for Sign-In component:

  override Components.SignIn do
    set :root_class, """
    flex-1 flex flex-col justify-center py-12 px-4 sm:px-6 lg:flex-none
    lg:px-20 xl:px-24
    """

    set :strategy_class, "mx-auto w-full max-w-sm lg:w-96"
    set :authentication_error_container_class, "text-error text-center"
    set :authentication_error_text_class, "text-red-600 font-semibold"
    set :show_banner, true
  end

zachdaniel · May 3, 2024, 11:37pm

On your resource, do you have policies?

kurmetaubanov · May 3, 2024, 11:40pm

No policies for my resource

kurmetaubanov · May 3, 2024, 11:52pm

No policies

kurmetaubanov · May 4, 2024, 12:14am

what i see in the source code, there is no authentication_error_container_class or authentication_error_text_class in Ash Authentication Phoenix 1.9.4, i was hoping this would be some message that appears between password and Sign In button, maybe it was planned to be there

zachdaniel · May 4, 2024, 12:49am

@jimsynz may need to chime in. I think the Details of the errors might be pretty important TBH. I’ve just tried this out in my application and these things are working fine