AshAuthentication does not use tenant set with Ash.PlugHelpers.set_tenant

Ash Forum Ash Questions / Help
,
1

Hi, I’m trying to get AshAuthentication to work in a context multi-tenancy setup but I’m having trouble getting AshAuthentication to use the tenant set using Ash.PlugHelpers.set_tenant/2. I have the following plug added to the pipeline:

defmodule ExampleWeb.Plugs.TenantSetter do
  @moduledoc """
  Set Ash tenant from current_tenant in connection
  """
  @behaviour Plug

  @impl true
  def init(opts), do: opts

  @impl true
  def call(conn, _opts) do
    Ash.PlugHelpers.set_tenant(conn, conn.assigns.current_organization.id)
  end
end

and I can see the tenant being added to conn but I get the following error when trying to authenticate:

[warning] Unhandled error in form submission for Example.Accounts.User.sign_in_with_password

This error was unhandled because Ash.Error.Invalid.TenantRequired does not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Invalid.TenantRequired) Queries against the Example.Accounts.User resource require a tenant to be specified

I’ve found other topics that mention that AshAuthentication should use the tenant when set with the PlugHelpers. Is this correct?

1 Like
2

Are you on the latest version of ash_authentication and ash_authentication_phoenix?

3

I am:

%{
  "ash": {:hex, :ash, "2.21.12", ...},
  "ash_authentication": {:hex, :ash_authentication, "3.12.4", ...},
  "ash_authentication_phoenix": {:hex, :ash_authentication_phoenix, "1.9.4", ...},
}
4

Ah, I wonder if we didn’t back port a fix somewhere:( I’m not at a computer, but you could fork ash authentication phoenix, and check out the tag for the version you’re on, make a branch, and cherry pick this commit: fix: set tenant on form creation · team-alembic/ash_authentication_phoenix@7430ab7 · GitHub

Then you can point at your fork. That will likely fix the issue.

Or you can open an issue and well fix it in the next day or two :slight_smile:

5

I see, thanks for looking into it, I’ll try this later tonight :slight_smile:

6

Hi @zachdaniel is this resolved ? Can I update to the latest version I am facing the same issue dont want to fork the repo & point to it for sanity reasons :slight_smile:

7

In 2.x? Or in 3.x? The problem doesn’t exist in 3.x, only in the 2.x compatible versions.

I didn’t address this issue, but if someone could make an issue or PR w/ the steps I mentioned above that would be great.

8

I’m seeing the same thing in 3.x with the following versions.

  "ash": {:hex, :ash, "3.3.1", "fc67719590b3f3488f90b267666364f6ac364e7658bee3806c2739c9850d05d9", [:mix], [{:comparable, "~> 1.0", [hex: :comparable, repo: "hexpm", optional: false]}, {:decimal, "~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:ecto, "~> 3.7", [hex: :ecto, repo: "hexpm", optional: false]}, {:ets, "~> 0.8", [hex: :ets, repo: "hexpm", optional: false]}, {:igniter, ">= 0.3.11 and < 1.0.0-0", [hex: :igniter, repo: "hexpm", optional: false]}, {:jason, ">= 1.0.0", [hex: :jason, repo: "hexpm", optional: false]}, {:picosat_elixir, "~> 0.2", [hex: :picosat_elixir, repo: "hexpm", optional: true]}, {:plug, ">= 0.0.0", [hex: :plug, repo: "hexpm", optional: true]}, {:reactor, "~> 0.9", [hex: :reactor, repo: "hexpm", optional: false]}, {:simple_sat, ">= 0.1.1 and < 1.0.0-0", [hex: :simple_sat, repo: "hexpm", optional: true]}, {:spark, ">= 2.2.8 and < 3.0.0-0", [hex: :spark, repo: "hexpm", optional: false]}, {:splode, "~> 0.2", [hex: :splode, repo: "hexpm", optional: false]}, {:stream_data, "~> 1.0", [hex: :stream_data, repo: "hexpm", optional: false]}, {:telemetry, "~> 1.1", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "de8568f528194edd6d22f8941f5f67589788fe9a3868e900efac81e2ded25955"},
  "ash_authentication": {:hex, :ash_authentication, "4.0.1", "27e5fcda1022897a02903441a049ba9e5f655e51a757039d946f5bce1de0447c", [:mix], [{:ash, "~> 3.0", [hex: :ash, repo: "hexpm", optional: false]}, {:ash_postgres, "~> 2.0", [hex: :ash_postgres, repo: "hexpm", optional: true]}, {:assent, ">= 0.2.8 and < 1.0.0-0", [hex: :assent, repo: "hexpm", optional: false]}, {:bcrypt_elixir, "~> 3.0", [hex: :bcrypt_elixir, repo: "hexpm", optional: false]}, {:castore, "~> 1.0", [hex: :castore, repo: "hexpm", optional: false]}, {:finch, "~> 0.18.0", [hex: :finch, repo: "hexpm", optional: false]}, {:jason, "~> 1.4", [hex: :jason, repo: "hexpm", optional: false]}, {:joken, "~> 2.5", [hex: :joken, repo: "hexpm", optional: false]}, {:plug, "~> 1.13", [hex: :plug, repo: "hexpm", optional: false]}, {:spark, "~> 2.0", [hex: :spark, repo: "hexpm", optional: false]}, {:splode, "~> 0.2", [hex: :splode, repo: "hexpm", optional: false]}], "hexpm", "e204585c8eed2d46a12e7031da48a169c513d5074ba43da90be0a92f7e1e0413"},
  "ash_authentication_phoenix": {:hex, :ash_authentication_phoenix, "2.0.1", "572126105d5479e3dafd737951118dae559aa89bad71b0b06ad7aa09a395829e", [:mix], [{:ash, "~> 3.0", [hex: :ash, repo: "hexpm", optional: false]}, {:ash_authentication, "~> 4.0", [hex: :ash_authentication, repo: "hexpm", optional: false]}, {:ash_phoenix, "~> 2.0", [hex: :ash_phoenix, repo: "hexpm", optional: false]}, {:bcrypt_elixir, "~> 3.0", [hex: :bcrypt_elixir, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.6", [hex: :phoenix, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 4.0", [hex: :phoenix_html, repo: "hexpm", optional: false]}, {:phoenix_html_helpers, "~> 1.0", [hex: :phoenix_html_helpers, repo: "hexpm", optional: false]}, {:phoenix_live_view, "~> 0.18", [hex: :phoenix_live_view, repo: "hexpm", optional: false]}, {:phoenix_view, "~> 2.0", [hex: :phoenix_view, repo: "hexpm", optional: false]}, {:slugify, "~> 1.3", [hex: :slugify, repo: "hexpm", optional: false]}], "hexpm", "b4b38c72cb49fd6c5243e4a110b1bcd4138bb0074bb8b5a165e40d29abc1382e"},
  "ash_phoenix": {:hex, :ash_phoenix, "2.1.0", "a05d372df10f079b96ff1558aa2fc896a064c6861a25d6cf419ef434a6607f80", [:mix], [{:ash, "~> 3.0", [hex: :ash, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.5.6 or ~> 1.6", [hex: :phoenix, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 4.0", [hex: :phoenix_html, repo: "hexpm", optional: false]}, {:phoenix_live_view, "~> 0.20.3 or ~> 1.0", [hex: :phoenix_live_view, repo: "hexpm", optional: false]}], "hexpm", "ef6a509db2a69ace5e8200fd5cb075f707980a2d6e29ac65b36ea215f3e8952c"},

I see the code is referring to current_tenant, is there something special I have to do to AshAuthentication to pass that in? My plug is currently calling set_tenant with my Tenant struct, and then I’ve implemented a to_tenant to suck the ID out of that.

 defmodule FloorwardWeb.Plugs.TenantPlug do
  import Plug.Conn
  def init(default), do: default

  def call(conn, _opts) do
    tenant = get_tenant_from_host(conn.host)

    conn
    |> Ash.PlugHelpers.set_tenant(tenant)
  end

  defp get_tenant_from_host(host) do
    case Floorward.Tenants.Tenant
         |> Ash.Query.for_read(:by_hostname, hostname: host)
         |> Ash.read_one() do
      {:ok, tenant} -> tenant
      _ -> :unknown
    end
  end
end
9

Is your TenantPlug definitely running before your authorization live session? like is the appropriate pipeline used in that scope, etc?

10

I sure think so:

From endpoint.ex

  plug Plug.MethodOverride
  plug Plug.Head
  plug Plug.Session, @session_options
  plug FloorwardWeb.Plugs.TenantPlug
  plug FloorwardWeb.Plugs.CurrentUriPlug
  plug FloorwardWeb.Router

And then in the router.ex:

  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_live_flash
    plug :put_root_layout, html: {FloorwardWeb.Layouts, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug :load_from_session
  end

  scope "/", FloorwardWeb do
    pipe_through :browser

    get "/", PageController, :home
    sign_in_route(
      register_path: "/register",
      reset_path: "/reset",
      # prevent signed in users from hitting Signin
      on_mount: [
        {LiveUserAuth, :live_no_user}
      ],
      # https://hexdocs.pm/ash_authentication_phoenix/ui-overrides.html
      overrides: [FloorwardWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default]
    )

    sign_out_route AuthController
    auth_routes_for Floorward.Accounts.User, to: AuthController
    reset_route []

    ash_authentication_live_session :authentication_optional,
      on_mount: [
        {LiveUserAuth, :live_user_optional},
      ] do
      live "/customers/", Customers.CustomerListLive, :index
    end
  end

I feel like I’m missing something here because

<%= @current_tenant.name %> in my Customer live view does work.

11

:thinking: that looks right to me… As far as I can tell, we’re properly setting the tenant into the session, which is then being pulled out of the session and put into an assign in an on mount hook. Can you show the error you’re seeing? Just so we can be sure its the same?

12

Sure. This is what I’m seeing on attempted login.

[debug] HANDLE EVENT "submit" in AshAuthentication.Phoenix.SignInLive
  Component: AshAuthentication.Phoenix.Components.Password.SignInForm
  Parameters: %{"_csrf_token" => "B2UGNQIDOhl0ExEbIC9mJDg2HgZDIj8wu4jEdiWkGWGACD1CwDjH-xzG", "_method" => "POST", "user" => %{"email" => "user@user.com", "password" => "[FILTERED]"}}
[warning] Unhandled error in form submission for Floorward.Accounts.User.sign_in_with_password

This error was unhandled because Ash.Error.Invalid.TenantRequired does not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Invalid.TenantRequired) Queries against the Floorward.Accounts.User resource require a tenant to be specified

[debug] Replied in 11ms
13

We should make that display a stack trace if there is one.

14

Okay, so we’re going to have to do some more advanced debugging. As far as I can tell we’ve fixed this before, so something has to be different.

Add a live_session that uses this session hook

live_session :whatever, session: {AshAuthentication.Phoenix.Router, :generate_session, %{}} do
  live CustomLiveView
end

And then check to see what is in the session when mounting that liveview. If "tenant" is properly set or not, that will really help.

15

It sure looks like it’s properly set, but I had to tweak your code a bit. I think generate_session is in AshAuthentication.Phoenix.LiveSession, right? And the %{} fails the match in LiveView and needs to be [], I think.

I also add the on_mount. Without that, current_tenant was not assigned

    live_session :whatever,
      on_mount: AshAuthentication.Phoenix.LiveSession,
      session: {AshAuthentication.Phoenix.LiveSession, :generate_session, []} do
      live "/test/", Customers.CustomerListLive, :index
    end

With the above, the following shows a filled out tenant

<p><%= @current_tenant |> inspect %></p>

#Floorward.Tenants.Tenant<__meta__: #Ecto.Schema.Metadata<:loaded, "tenants">, id: "cdb378f1-da68-4898-bcdc-26de6cd76e41", name: "Development", hostname: "localhost", aggregates: %{}, calculations: %{}, ...>

I was wondering if my use of a struct instead of a string ID was causing something, but I just tried updating that and no luck.

Regarding your comment on getting a stack trace: I’ve tried a few things and not sure how to actually do that. I did manage to get a trace with Rexbug. Not sure if that’s helpful:

[debug] MOUNT FloorwardWeb.Customers.CustomerListLive
  Parameters: %{}
  Session: %{"_csrf_token" => "rQlpfjmr3DVZckWgOrtNnZEw", "tenant" => #Floorward.Tenants.Tenant<__meta__: #Ecto.Schema.Metadata<:loaded, "tenants">, id: "cdb378f1-da68-4898-bcdc-26de6cd76e41", name: "Development", hostname: "localhost", aggregates: %{}, calculations: %{}, ...>}

# 14:21:27.749 #PID<0.796.0> FloorwardWeb.Customers.CustomerListLive.mount/3
# AshAuthentication.authenticated_resources(:floorward)

# 14:21:27.749 #PID<0.796.0> FloorwardWeb.Customers.CustomerListLive.mount/3
# AshAuthentication.-authenticated_resources/1-fun-1-(:floorward)

# 14:21:27.749 #PID<0.796.0> FloorwardWeb.Customers.CustomerListLive.mount/3
# AshAuthentication.-authenticated_resources/1-fun-0-(Floorward.Accounts.User)

# 14:21:27.749 #PID<0.796.0> FloorwardWeb.Customers.CustomerListLive.mount/3
# AshAuthentication.-authenticated_resources/1-fun-0-(Floorward.Accounts.Token)

# 14:21:27.749 #PID<0.796.0> FloorwardWeb.Customers.CustomerListLive.mount/3
# AshAuthentication.-authenticated_resources/1-fun-0-(Floorward.Customers.Customer)

# 14:21:27.749 #PID<0.796.0> FloorwardWeb.Customers.CustomerListLive.mount/3
# AshAuthentication.-authenticated_resources/1-fun-0-(Floorward.Tenants.Tenant)
[debug] QUERY OK source="customers" db=0.3ms queue=0.5ms idle=1784.5ms
SELECT c0."id", c0."name", c0."address", c0."tenant_id" FROM "customers" AS c0 WHERE (c0."tenant_id"::uuid = $1::uuid) ["cdb378f1-da68-4898-bcdc-26de6cd76e41"]
↳ anonymous fn/3 in AshPostgres.DataLayer.run_query/2, at: lib/data_layer.ex:767
[debug] Replied in 39ms
[debug] HANDLE PARAMS in FloorwardWeb.Customers.CustomerListLive
  Parameters: %{}
[debug] Replied in 108µs
[info] GET /sign-in
[debug] QUERY OK source="tenants" db=0.3ms queue=0.4ms idle=767.4ms
SELECT t0."id", t0."name", t0."hostname" FROM "tenants" AS t0 WHERE (t0."hostname"::text = $1::text) ["localhost"]
↳ anonymous fn/3 in AshPostgres.DataLayer.run_query/2, at: lib/data_layer.ex:767
[debug] Processing with AshAuthentication.Phoenix.SignInLive.sign_in/2
  Parameters: %{}
  Pipelines: [:browser]

# 14:21:28.784 #PID<0.787.0> Bandit.DelegatingHandler.init/1
# AshAuthentication.authenticated_resources(:floorward)

# 14:21:28.784 #PID<0.787.0> Bandit.DelegatingHandler.init/1
# AshAuthentication.-authenticated_resources/1-fun-1-(:floorward)

# 14:21:28.784 #PID<0.787.0> Bandit.DelegatingHandler.init/1
# AshAuthentication.-authenticated_resources/1-fun-0-(Floorward.Accounts.User)

# 14:21:28.784 #PID<0.787.0> Bandit.DelegatingHandler.init/1
# AshAuthentication.-authenticated_resources/1-fun-0-(Floorward.Accounts.Token)
redbug done, msg_count - 10
[info] Sent 200 in 92ms
[info] CONNECTED TO Phoenix.LiveView.Socket in 19µs
  Transport: :longpoll
  Serializer: Phoenix.Socket.V2.JSONSerializer
  Parameters: %{"_csrf_token" => "AQUEBz8wB0RhARVpOh0QC30wQX4kKHYHsThwYZj6REC3YvGl2B50Jr3p", "_live_referer" => "undefined", "_mounts" => "0", "_track_static" => %{"0" => "http://localhost:4000/assets/app.css", "1" => "http://localhost:4000/assets/app.js", "2" => "http://localhost:4000/icon/apple-touch-icon.png", "3" => "http://localhost:4000/icon/favicon-16x16.png", "4" => "http://localhost:4000/icon/site.webmanifest"}, "vsn" => "2.0.0"}
[debug] MOUNT AshAuthentication.Phoenix.SignInLive
  Parameters: %{}
  Session: %{"_csrf_token" => "rQlpfjmr3DVZckWgOrtNnZEw", "otp_app" => nil, "overrides" => [FloorwardWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default], "path" => "/sign-in", "register_path" => "/register", "reset_path" => "/reset"}
[debug] Replied in 153µs
[debug] HANDLE PARAMS in AshAuthentication.Phoenix.SignInLive
  Parameters: %{}
[debug] Replied in 27µs
[debug] HANDLE EVENT "change" in AshAuthentication.Phoenix.SignInLive
  Component: AshAuthentication.Phoenix.Components.Password.SignInForm
  Parameters: %{"_csrf_token" => "PgAHIgw7NBRWCDAZF1wVIysjIiA6CAJHLQkRjQYfeLfCt7BDdQVnTRG0", "_method" => "POST", "_target" => ["user", "email"], "user" => %{"_unused_password" => "[FILTERED]", "email" => "user", "password" => "[FILTERED]"}}
[debug] Replied in 8ms
[debug] HANDLE EVENT "change" in AshAuthentication.Phoenix.SignInLive
  Component: AshAuthentication.Phoenix.Components.Password.SignInForm
  Parameters: %{"_csrf_token" => "PgAHIgw7NBRWCDAZF1wVIysjIiA6CAJHLQkRjQYfeLfCt7BDdQVnTRG0", "_method" => "POST", "_target" => ["user", "email"], "user" => %{"_unused_password" => "[FILTERED]", "email" => "user@user.com", "password" => "[FILTERED]"}}
[debug] Replied in 562µs
[debug] HANDLE EVENT "submit" in AshAuthentication.Phoenix.SignInLive
  Component: AshAuthentication.Phoenix.Components.Password.SignInForm
  Parameters: %{"_csrf_token" => "PgAHIgw7NBRWCDAZF1wVIysjIiA6CAJHLQkRjQYfeLfCt7BDdQVnTRG0", "_method" => "POST", "user" => %{"email" => "user@user.com", "password" => "[FILTERED]"}}
[warning] Unhandled error in form submission for Floorward.Accounts.User.sign_in_with_password

This error was unhandled because Ash.Error.Invalid.TenantRequired does not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Invalid.TenantRequired) Queries against the Floorward.Accounts.User resource require a tenant to be specified

[debug] Replied in 10ms
[warning] Unhandled error in form submission for Floorward.Accounts.User.sign_in_with_password

This error was unhandled because Ash.Error.Invalid.TenantRequired does not implement the `AshPhoenix.FormData.Error` protocol.

** (Ash.Error.Invalid.TenantRequired) Queries against the Floorward.Accounts.User resource require a tenant to be specified
16

Actually, setting a struct could theoretically cause problems in this case. You mentioned that you tried a string, when using Plug.set_tenant you tried setting a string instead of a struct?

17

Yes. I did try returning tenant.id from the plug with the same result.

18

Would you be interested in inviting me to the project? I could see if its a bug pretty easily that way, and fix it.

19

Absolutely! Thank you so much.

You should have received an invitation to jclement/floorward from github.

I really appreciate your help on this!

20

Thank you for sharing your project code. I’ve figured out the issue :slight_smile:

There are two paths that can be gone down for signing in.

  1. authentication over liveview. In this case, the liveview authenticates the user, and is given a very short-lived sign_in token that can be exchanged for an authentication token. Then, the user is redirected to an endpoint that exchanges the sign in token for a regular token. The benefit of this token is that the user gets an SPA-style experience, instead of a redirect + flash message. However, to do this, you must first set sign_in_tokens_enabled? true in your password block. Doing that resolves the issue.
  2. The form is submitted to a controller the “old fashioned” way. When we fixed the original bug here, we did not fix that particular issue it seems. I’m investigating that currently.