So the use case is that I’m using Ash authentication and for 95% of users they will have to log in with my custom strategy that we built that is hooking up Swedish Bank ID. But we know that there could be a few users that do not have such a Swedish bank ID, and we need to be able to provide them with an alternative way to log in and we’re gonna use password.
But we would like to have some way of preventing users who have a bank ID to login with the password (Yes, you could argue that it’s stupid to prevent users from using multiple different authentication methods, but that is the requirement).
Is there some way to enforce this behavior to have it stored in the user table or somewhere like that, which users are allowed to use which login methods?
Hi Victor,
here is an idea (not tested): Ash authentication is just an action in the end - e.g. in my app I have both :sign_in_with_magic_link and :register_with_google defined for magic link and Google Authentication, respectively. Can you define an Ash policy that would only allow certain actions to certain users? Or is it more complicated with customer strategies?
Is this the flow?
- User enters email address
- The system confirms if he has a bank account.
- If yes, then use bank auth strategy
- Else, user password strategy to authenticate.
If that’s the case, then you will need the user to make 2-steps for authentications. Step 1 to help you determine if bank account exists, step 2 to proceed with the desired auth strategy.
A generic action to handle this might be required.
You can put some logic in the action that signs them in and add or return an error in an after_action hook
1 Like
