mbuhot
Ash Authentication - User Invitation Flow
Hi 
I’d like to add a user invitation flow to an application currently using AshAuthentication with the password strategy.
The flow would work something like:
- An existing Admin user will create the initial User resource
- AshAuthentication generates a token with ~48h expiry
- Invitation email is sent to new user including token in a URL
- User clicks and lands on a page allowing them to set their password
- Once password set, user is authenticated and redirected to a page in the app
Is this something I can achieve with the password strategy? It’s fairly similar to triggering a password-reset, but has a few differences in the email content, token expiry and UI.
Any suggestions much appreciated, thanks!
Most Liked
jimsynz
I’d suggest looking at the way that the password strategy handles the reset flow - it should be relatively simple to duplicate and modify it to support invites.
My only question is whether this should be a different strategy entirely - ie separate from the password strategy. It seems to me that you may want to invite users to sign up with other strategies also. My gut feeling is that you can use the token resource to store invites (you can store arbitrary data in the extra_data field) that way you can rely on the existing expiration and expunge logic. Perhaps there should also be a setting that disables registration without the invite token?
mbuhot
We ended up using a short-term solution where the password reset flow was adapted to implement an invitation.
Some code details that may be helpful for anyone looking to do the same...
Action on the User resource to generate a token and send invitation:
update :send_invitation_email do
require_atomic? false
change after_action(fn _changeset, user, _ctx ->
# Generate a password reset token
{:ok, strategy} = AshAuthentication.Info.strategy(__MODULE__, :password)
{:ok, token} =
AshAuthentication.Strategy.Password.reset_token_for(strategy, user)
# Send token in Invitation email
{:ok, email_result} =
MyApp.Notifications.UserInvitationEmail.send(
recipients: user,
token: token
)
{:ok, user}
end)
end
Email links to a custom UI presenting a “Set Your Password” message in place of the usual “Reset Password”
I had to work around having multiple password reset routes in the same scope by inlining the reset_route macro:
scope "/", MyAppWeb do
pipe_through([:browser, :browser_ash_authentication])
reset_route(
live_view: MyAppWeb.PasswordResetLive,
overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default]
)
# Can't have multiple reset_route - inlining macro here to approximate it.
scope "/accept-invitation", alias: false do
live_session :accept_invitation,
session: %{
"overrides" => [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default],
"otp_app" => nil
} do
live("/:token", MyAppWeb.AcceptInviteLive, :accept_invitation, as: :auth)
end
end
... more routes
end
The custom UI eventually calls the reset action with:
result =
MyApp.User
|> AshAuthentication.Info.strategy!(:password)
|> AshAuthentication.Strategy.action(:reset, %{
"reset_token" => token,
"password" => password,
"password_confirmation" => password_confirmation
})
jimsynz
What about non-password strategies? ie allowing someone to accept an invite and then sign in with github for example.
Popular in Questions
Other popular topics
Latest Ash Threads
Latest on Elixir Forum
Sponsor Spotlight
We build reliable cloud platforms for business-critical systems.
Categories:
Sub Categories:
Forums
Our Sponsors
Build Elixir applications with speed and confidence.
Supporting innovation across the BEAM ecosystem.
We build reliable cloud platforms for business-critical systems.
Catch errors, track performance, monitor hosts and more.
Practical resources that improve the lives of professional developers.
Develop your skills with books, videos, and courses.
The deployment platform built for Elixir: PaaS ease, VPS control.
Courses that'll move you from confusion to "Aha, now I get it!"