I’m trying to find out how to test live views that are protected by Ash Authentication.
A straight forward way is to just fill in username and password and hit submit when visiting a protected page.
In my normal live view code I have this function in my conn_case.ex
def log_in_user(conn, user) do
token = ActivityPlanner.Accounts.generate_user_session_token(user)
conn
|> Phoenix.ConnTest.init_test_session(%{})
|> Plug.Conn.put_session(:user_token, token)
end
But this is using the custom auth stuff generated from gen.auth.
How can make something similar for Ash Authentication ? I think that’s maybe one of the problems with opaque code. Oh and yes I could probably peer into the source code, but currently I’m just whipping out some code and tries to avoid rabbit holes
I really struggle with this. Because of the opaqueness of ash authentication phoenix I cant use the same form(“#my-form-name”, %{username: “foo”, password: “bar”}) strategy for filling the form fields and submitting with render_submit(). Anyone used ash authentication before and know how to either 1) mock the session in the test, or 2) how to fill in the SignInLive form fields in ash authentication phoenix ?
I haven’t personally tested live views protected with AshAuthentication unfortunately. @jimsynz will probably be able to provide some more info after the weekend. You may have some luck looking at the test suite for AshAuthenticationPhoenix?
You can rewrite the log_in_user/2 function to use AshAuthentication in a few ways. Here I am assuming that your user resource is called User - if it is something else you will need to change current_user to current_X.
If your application is using retrieve_from_session/2 (possibly via AshAuthentication.Phoenix.Plug.load_from_session/2) and has require_token_presence_for_authentication? set:
def log_in_user(conn, user) do
{:ok, token, _} = AshAuthentication.Jwt.token_for_user(user)
conn
|> Phoenix.ConnTest.init_test_session(%{})
|> Plug.Conn.put_session("current_user_token", token)
end
If your application is using retrieve_from_session/2 and doesn’t have require_token_presence_for_authentication? set:
def log_in_user(conn, user) do
subject = AshAuthentication.user_to_subject(user)
conn
|> Phoenix.ConnTest.init_test_session(%{})
|> Plug.Conn.put_session("current_user", subject)
end
Lastly, if you’re using retrieve_from_bearer/2 (possibly via AshAuthentication.Phoenix.Plug.load_from_bearer/2) you can do:
def log_in_user(conn, user) do
{:ok, token, _} = AshAuthentication.Jwt.token_for_user(user)
conn
|> Plug.Conn.put_req_header("authorization", "Bearer #{token}")
end
All of this information is introspectable via AshAuthentication.Info - so I would welcome a PR that adds some test helpers to AshAuthentication.
Thank you @jarlah this was perfect help. I made my own variant using describe setup blocks which I include below in case others might find it useful (or suggest improvements).
defmodule TvpNgWeb.UserDashboardLiveTest do
@moduledoc """
Test the user dashboard
"""
use TvpNgWeb.ConnCase, async: true
import Phoenix.ConnTest
import Phoenix.LiveViewTest
describe "user IS logged in" do
setup [:create_test_user, :log_user_in]
test "and the user dashboard has a title", %{conn: conn} do
{:ok, view, _html} = live(conn, "/dashboard")
assert view |> has_element?("#dashboard_title", "WYL")
# open_browser(view)
end
end
describe "user is NOT logged in" do
test "so you have to sign in to get to the dashboard", %{conn: conn} do
assert {:error, {:redirect, %{to: "/sign-in"}}} = live(conn, "/dashboard")
end
end
defp create_test_user(%{conn: conn}) do
user =
TvpNg.Accounts.User
|> Ash.Changeset.for_create(:register_with_password, %{
email: "test@user.com",
password: "password",
password_confirmation: "password"
})
|> TvpNg.Accounts.create!()
%{user: user, conn: conn}
end
defp log_user_in(%{user: user, conn: conn}) do
subject = AshAuthentication.user_to_subject(user)
%{conn:
conn
|> Phoenix.ConnTest.init_test_session(%{})
|> Plug.Conn.put_session("user", subject)}
end
end
I am leveraging the strategy so that I will be detecting any change in the resource if any, and also I am using the store_in_session function coming from AshAuthentication.Plug.Helpers, which will protect me from any eventual future change in the api.
Do you see any counterargument for such an implementation ?