Custom authentication logic, add "account disabled" to default sign-in page

MarcusCemes · February 25, 2025, 2:40pm

Hi,

I’m very new to Ash (Authentication) and evaluating it for a client project, amazing work so far!

My project requires the ability to disable accounts, Ash Authentication does so much out of the box, which is godsent after implementing it myself, but I’m struggling a little to customise it and ensure it works correctly. I don’t need any SSO providers.

With my current understanding, the simplest place for this seems to be in user.ex as an additional policy that checks the User resource active boolean attribute, before the AshAuthenticationInteraction bypass.

policy action_type(:read) do
  authorize_if expr(active == true)
end

bypass AshAuthentication.Checks.AshAuthenticationInteraction do
  authorize_if always()
end

This seems to work as intended… However the sign-in page displays “invalid email or password” for disabled accounts.

Is there a way to display a custom error/flash message (with policies, or other), or does this need a custom sign-in page implementation?
Would a validate or prepare in the sign_in_with_password action work better?
In the case of wanting an audit trail for this or something similar, is there a way to retrieve the last resource of a one-to-many relation in an action (such as sign-in) and check an attribute (one user ↔ many disable change event)?

Thank you in advance!
Marcus

zachdaniel · February 25, 2025, 3:24pm

It’s often a security problem to display reasons for authentication failure, bit f you want to have a custom error, you should add a preparation with an after action hook to the sign in action, which checks if the user is active and returns a custom error if it is. Then you can react to that in your auth controller.

For having a relationship like you described, you can do:

has_one :something, Something do
  sort inserted_at: :desc
end

MarcusCemes · February 25, 2025, 4:04pm

I’ll take a look at that, cheers!