I’m upgrading my project from Ash 2 to Ash 3.
One thing that I saw is that the token policies should be like this:
policies do
bypass AshAuthentication.Checks.AshAuthenticationInteraction do
authorize_if always()
end
policy always() do
description """
There are currently no usages of user tokens resource that should be publicly
accessible, they should all be using authorize?: false.
"""
forbid_if always()
end
end
If I leave like that, my sign_in_with_password
action will fail when run from graphql:
[error] Core.Marketplace.Accounts.Token.read
Policy Breakdown
Actor: %{active?: true, confirmed_at: ~U[2024-09-11 16:29:09.372093Z], roles: [:guest]}
There are currently no usages of user tokens resource that should be publicly
accessible, they should all be using authorize?: false.
| ⛔:
condition: always true
forbid if: always true | ✓ | ⛔
If I replace the token policy with this:
policies do
bypass AshAuthentication.Checks.AshAuthenticationInteraction do
authorize_if always()
end
# sign in needs token access
policy always() do
authorize_if always()
end
end
Now it works, but I’m not sure if this is correct.