Sign in with AshGraphql in Ash3

I’m upgrading my project from Ash 2 to Ash 3.

One thing that I saw is that the token policies should be like this:

  policies do
    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
      authorize_if always()
    end

    policy always() do
      description """
      There are currently no usages of user tokens resource that should be publicly
      accessible, they should all be using authorize?: false.
      """

      forbid_if always()
    end
  end

If I leave like that, my sign_in_with_password action will fail when run from graphql:

[error] Core.Marketplace.Accounts.Token.read


Policy Breakdown
  Actor: %{active?: true, confirmed_at: ~U[2024-09-11 16:29:09.372093Z], roles: [:guest]}

  There are currently no usages of user tokens resource that should be publicly
accessible, they should all be using authorize?: false.
 | ⛔:
    condition: always true    
    forbid if: always true | ✓ | ⛔

If I replace the token policy with this:

  policies do
    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
      authorize_if always()
    end

    # sign in needs token access
    policy always() do
      authorize_if always()
    end
  end

Now it works, but I’m not sure if this is correct.

Can I see your :sign_in_with_password action? Are you manually defining it or using the default?

I’m using the default

@jimsynz this is a strange one. If the user has access to the sign_in_with_password action, shouldn’t the internals that call token actions set the context that its ash authentication performing the action?