AshAuthentication: Restricting signin for non verified users

I"m using AshAuthentication and testing account creation confirmations.

I noticed its possible to sign in even with confirmations on, with a non verified account.
So I am wondering if its possible to restrict certain actions if the account is not verified, or do I have to create a custom sign_in action to achieve this?

@jimsynz will probably be able to give you a better answer here, as I haven’t set this kind of thing up yet.

Some ideas:

  1. you can attach preparations to the read action for sign_in_with_password. This style would make it look like unconfirmed users don’t exist.
preparations do
  prepare fn query, _ -> 
    if query.action.name == :sign_in_with_password do
      Ash.Query.filter(query, verified == true)
    else
       query
    end
  end
end
  1. you could redirect non-verified users to a “please go verify yourself” page globally.

Zach has it right. You can either add a filter on not is_nil(confirmed_at) or an after action hook to the sign_in_with_password action to enforce the behaviour you want.

1 Like

Thant works, thanks @zachdaniel @jimsynz !