AshAuthentication password_reset_with_password fails when called by AshGraphQL

sezaru · October 16, 2023, 4:41pm

When calling password_reset_with_password from AshGraphQL it will fail since the update mutation expects me to be logged.

Calling the action directly from IEX works fine.

Here is how I added it to my graphql block:

graphql do
    ...

    mutations do
      update :password_reset_with_password, :password_reset_with_password do
        identity false
      end

      ...
    end
  end

This is how I’m calling it:

passwordResetWithPassword(
  input: {
    password: "12345678"
    passwordConfirmation: "12345678"
    resetToken: "my reset token"
  }
) {
  metadata {
    token
  }
  result {
    fullName
    email
  }
  errors {
    message
  }
}

From the terminal, I get this error:

SELECT u0."id", u0."email", u0."hashed_password", u0."phone_number", u0."first_name", u0."surname", u0."roles", u0."organization_roles", u0."confirmed_at", u0."active?", u0."referral_code", u0."normalized_full_name", u0."inserted_at", u0."updated_at", u0."organization_id", u0."created_by_id", u0."referred_by_id" FROM "users" AS u0 []
[warning] `1a4e5e6f-8131-42b8-bcdb-bc3e71bc818b`: AshGraphql.Error not implemented for error:
** (Ash.Error.Invalid.MultipleResults) expected at most one result but got at least 15.
      
      Please ensure your action is configured with an appropriate filter to ensure a single result is returned.
    (ash 2.14.17) lib/ash/api/api.ex:1948: Ash.Api.unwrap_one/1
    (ash 2.14.17) lib/ash/api/api.ex:1930: Ash.Api.unwrap_one/1
    (marketplace 1.3.2) lib/marketplace/accounts.ex:1: Marketplace.Accounts.read_one/2
    (ash_graphql 0.26.6) lib/graphql/resolver.ex:1137: AshGraphql.Graphql.Resolver.mutate/2
    (absinthe 1.7.5) lib/absinthe/phase/document/execution/resolution.ex:234: Absinthe.Phase.Document.Execution.Resolution.reduce_resolution/1
    (absinthe 1.7.5) lib/absinthe/phase/document/execution/resolution.ex:189: Absinthe.Phase.Document.Execution.Resolution.do_resolve_field/3
    (absinthe 1.7.5) lib/absinthe/phase/document/execution/resolution.ex:174: Absinthe.Phase.Document.Execution.Resolution.do_resolve_fields/6
    (absinthe 1.7.5) lib/absinthe/phase/document/execution/resolution.ex:145: Absinthe.Phase.Document.Execution.Resolution.resolve_fields/4
    (absinthe 1.7.5) lib/absinthe/phase/document/execution/resolution.ex:88: Absinthe.Phase.Document.Execution.Resolution.walk_result/5
    (absinthe 1.7.5) lib/absinthe/phase/document/execution/resolution.ex:67: Absinthe.Phase.Document.Execution.Resolution.perform_resolution/3
    (absinthe 1.7.5) lib/absinthe/phase/document/execution/resolution.ex:24: Absinthe.Phase.Document.Execution.Resolution.resolve_current/3
    (absinthe 1.7.5) lib/absinthe/pipeline.ex:408: Absinthe.Pipeline.run_phase/3
    (absinthe_plug 1.5.8) lib/absinthe/plug.ex:536: Absinthe.Plug.run_query/4
    (absinthe_plug 1.5.8) lib/absinthe/plug.ex:290: Absinthe.Plug.call/2
    (phoenix 1.7.9) lib/phoenix/router/route.ex:42: Phoenix.Router.Route.call/2
    (phoenix 1.7.9) lib/phoenix/router.ex:432: Phoenix.Router.__call__/5
    (marketplace 1.3.2) lib/marketplace_web/endpoint.ex:1: MarketplaceWeb.Endpoint.plug_builder_call/2
    (marketplace 1.3.2) deps/plug/lib/plug/debugger.ex:136: MarketplaceWeb.Endpoint."call (overridable 3)"/2
    (marketplace 1.3.2) lib/marketplace_web/endpoint.ex:1: MarketplaceWeb.Endpoint."call (overridable 4)"/2
    (marketplace 1.3.2) lib/marketplace_web/endpoint.ex:1: MarketplaceWeb.Endpoint.call/2
    (phoenix 1.7.9) lib/phoenix/endpoint/sync_code_reload_plug.ex:22: Phoenix.Endpoint.SyncCodeReloadPlug.do_call/4
    (plug_cowboy 2.6.1) lib/plug/cowboy/handler.ex:11: Plug.Cowboy.Handler.init/2
    (cowboy 2.10.0) /home/jeferson/workspace/rebuilt/platform/marketplace/deps/cowboy/src/cowboy_handler.erl:37: :cowboy_handler.execute/2
    (cowboy 2.10.0) /home/jeferson/workspace/rebuilt/platform/marketplace/deps/cowboy/src/cowboy_stream_h.erl:306: :cowboy_stream_h.execute/3
    (cowboy 2.10.0) /home/jeferson/workspace/rebuilt/platform/marketplace/deps/cowboy/src/cowboy_stream_h.erl:295: :cowboy_stream_h.request_process/3
    (stdlib 5.0.2) proc_lib.erl:241: :proc_lib.init_p_do_apply/3

Seems like it is trying to find a user, but since I’m not logged (I mean, I’m resetting the password, so I can’t be logged first since I don’t know the initial password anyway), it will just query the full users table without a filter.

zachdaniel · October 16, 2023, 4:55pm

This is pretty strange. With that default setup it should be requiring an id input…what does the generated schema for that action look like?

sezaru · October 16, 2023, 4:59pm

It is just the default action AshAuthentication creates when we use the password strategy, here is the generated schema:

%Ash.Resource.Actions.Update{
  name: :password_reset_with_password,
  primary?: false,
  description: nil,
  error_handler: nil,
  accept: [],
  manual: nil,
  manual?: false,
  atomics: [],
  require_attributes: [],
  delay_global_validations?: false,
  skip_global_validations?: false,
  arguments: [
    %Ash.Resource.Actions.Argument{
      allow_nil?: true,
      type: Ash.Type.String,
      name: :reset_token,
      default: nil,
      private?: false,
      sensitive?: true,
      description: nil,
      constraints: [allow_empty?: false, trim?: true]
    },
    %Ash.Resource.Actions.Argument{
      allow_nil?: false,
      type: Ash.Type.String,
      name: :password,
      default: nil,
      private?: false,
      sensitive?: true,
      description: nil,
      constraints: [allow_empty?: false, trim?: true, min_length: 8]
    },
    %Ash.Resource.Actions.Argument{
      allow_nil?: false,
      type: Ash.Type.String,
      name: :password_confirmation,
      default: nil,
      private?: false,
      sensitive?: true,
      description: nil,
      constraints: [allow_empty?: false, trim?: true, min_length: 8]
    }
  ],
  changes: [
    %Ash.Resource.Validation{
      validation: {AshAuthentication.Strategy.Password.ResetTokenValidation,
        []},
      module: AshAuthentication.Strategy.Password.ResetTokenValidation,
      opts: [],
      only_when_valid?: false,
      description: nil,
      message: nil,
      before_action?: false,
      where: [],
      on: []
    },
    %Ash.Resource.Validation{
      validation: {AshAuthentication.Strategy.Password.PasswordConfirmationValidation,
        []},
      module: AshAuthentication.Strategy.Password.PasswordConfirmationValidation,
      opts: [],
      only_when_valid?: false,
      description: nil,
      message: nil,
      before_action?: false,
      where: [],
      on: []
    },
    %Ash.Resource.Change{
      change: {AshAuthentication.Strategy.Password.HashPasswordChange, []},
      on: nil,
      only_when_valid?: false,
      description: nil,
      where: []
    },
    %Ash.Resource.Change{
      change: {AshAuthentication.GenerateTokenChange, []},
      on: nil,
      only_when_valid?: false,
      description: nil,
      where: []
    }
  ],
  reject: [],
  metadata: [
    %Ash.Resource.Actions.Metadata{
      allow_nil?: false,
      type: Ash.Type.String,
      name: :token,
      default: nil,
      description: nil,
      constraints: [allow_empty?: false, trim?: true]
    }
  ],
  transaction?: true,
  touches_resources: [],
  type: :update
}

The only difference from the original is that I added these two changes to it:

change Actions.PasswordResetWithPassword.Changes.RemoveAllTokens,
    where: [action_is(:password_reset_with_password)]

change Actions.PasswordResetWithPassword.Changes.SendEmail,
    where: [action_is(:password_reset_with_password)]

But these, I believe, should not change anything regarding the error I’m getting.

sezaru · October 16, 2023, 5:01pm

Just for completness, before what I did to fix this was to create the graphql mutation by hand like this:

    field :password_reset_with_password, type: :logged_user_output do
      arg :input, non_null(:password_reset_with_password_input)

      resolve fn _, %{input: args}, _ ->
        strategy = AshAuthentication.Info.strategy!(User, :password)
        args = args |> Enum.map(fn {k, v} -> {Atom.to_string(k), v} end) |> Enum.into(%{})

        case AshAuthentication.Strategy.Password.Actions.reset(strategy, args, []) do
          {:ok, user} ->
            {:ok, %{user: user, token: user.__metadata__.token}}

          {:error, %{errors: errors}} ->
            errors = Enum.map(errors, &AshGraphql.Error.to_error/1)

            {:ok, %{errors: errors}}

          {:error, %AshAuthentication.Errors.InvalidToken{}} ->
            {:ok, %{errors: [%{code: "invalid_token"}]}}
        end
      end
    end

In this case I’m using AshAuthentication.Strategy.Password.Actions.reset instead of the password_reset_with_password action. But I want to remove this code and just use AshGraphql + AshAuthentication directly in my resource.

zachdaniel · October 16, 2023, 6:57pm

Ah, sorry I’m looking for the graphql schema. Like if you load up the explorer or something like that, I was looking for whether or not it supports an id input, because it should, I think.

EDIT: actually, thinking about this, that doesn’t make sense. It would need to look up a user by email. Might need a consult from @jimsynz on this one.

sezaru · October 16, 2023, 7:15pm

Yes, by default it does support the id input, but I disable it with the identity false option.

It is as you said, you shouldn’t need to have to fetch the user to run this action since the whole point is to actually reset the password of an account that you don’t currently have access to.

In any case, here is the action schema

zachdaniel · October 16, 2023, 7:26pm

Okay, gotcha, so, set identity :unique_email (or whatever the identity is that users use to log in).

sezaru · October 16, 2023, 7:34pm

Thanks! That worked great!