Ask for an example that shows how to do authentication via json api

zhangzhen · June 26, 2024, 1:10pm

The following routes are defined on the User resource:

  json_api do
    type "user"

    routes do
      base "/users"
      get :read
      get :current_user, route: "/me"
      index :read
      post :register_with_password
    end
  end

How do i connect this to MyAppWeb.ApiAuthController in router.ex? I want to setup routes for register, sign_in, sign_out json api.

zachdaniel · June 26, 2024, 3:38pm

Right now there is not a good set up for using ash_json_api to do sign in/registration. You will need to handwrite phoenix controllers. This is, however, something I am working on this week: Ash Framework Roadmap · GitHub

zachdaniel · June 26, 2024, 8:15pm

Support for this is now in main, with a guide on setting it up. It will be a few days at least before this gets a proper release: ash_json_api/documentation/topics/authenticate-with-json-api.md at main · ash-project/ash_json_api · GitHub

zhangzhen · June 27, 2024, 1:39am

Thank you for your quick response. what about sign_out?

zachdaniel · June 27, 2024, 12:45pm

You should be able to work something out for sign_out using the new feature in main of connecting generic actions to routes.

routes do
  route :delete, :sign_out, "/sign_out"
end

....


actions do
  action :sign_out, :atom do
    constraints one_of: [:success]

    run fn input, context -> 
      # expire/delete the token
    end
  end
end

TBH I forget exactly what the sign_out logic does by default, I think it just expires the token. @jimsynz may be able to provide more info here. Check the actions defined in your user/token resources, using Ash.Resource.Info.actions(User) and Ash.Resource.Info.actions(Token) to see what actions are generated by AshAuthentication for calling.

zhangzhen · June 28, 2024, 10:55pm

Following the doc you listed, I setup the signin json api and tested it via SwaggerUI. Policies are defined in the User resource as follows:

  policies do
    ...

    bypass action(:sign_in_with_password) do
      authorize_if always()
    end
  end

Unexpected, I got Forbidden back. What is the reason that this json api returned Forbidden?

zachdaniel · June 28, 2024, 11:20pm

it is probably a policy failing in the token resource. You can reproduce any action being called by AshJsonApi by calling it directly (in a test or in iex) for example. So you can reproduce there, and you’ll likely get more information. Set the following configs in your dev.exs and test.exs to get more policy related information:

config :ash, :policies, show_policy_breakdowns?: true
config :ash, :policies, log_policy_breakdowns: :error

zhangzhen · June 29, 2024, 2:51pm

after some trial and error, i found that if email and password don’t match the database, then Forbidden/403 is returned. Is this reasonable?

zachdaniel · July 1, 2024, 12:35pm

Yes, this should be correct. It returns a 403 if there is no matching email in the database as well, so this can’t be used for an enumeration attack.