adrian

adrian

Sign in with tokens workflow question

Hello,

I have spent more than a day reading ash code, and this forum to understand how tokens work, but I still have some questions.

I figured out I can get the token like this:

user =
  Ash.Query.for_read(User, :sign_in_with_password, %{
    email: "email@example.com",
    password: "test"
  })
  |> Ash.read_one!()
token = Ash.Resource.get_metadata(user, :token)

But that token is not stored anywhere. I have read this in the generated resource code:

  # In the generated sign in components, we validate the
  # email and password directly in the LiveView
  # and generate a short-lived token that can be used to sign in over
  # a standard controller action, exchanging it for a standard token.
  # This action performs that exchange. If you do not use the generated
  # liveviews, you may remove this action, and set
  # `sign_in_tokens_enabled? false` in the password strategy.

What does it mean? An example of this in the docs would be nice :slight_smile:

I signed in using LiveView /sign-in but still I don’t see any token generated.

I feel this is a stupid question, but what is the workflow for getting the token and using it in the API?

Based on this reply, I understand I can create an API endpoint to sign in and get the password:

use Phoenix.Controller

def sign_in(conn, %{"username" => username, "password" => password}) do
  YourUserResource
  |> Ash.Query.for_read(:sign_in_with_password, %{username: username, password: password})
  |> YourApi.read_one()
  |> case do
    {:ok, user} ->
      conn |> put_status(200) |> json(%{token: user.__metadata__.token})
   {:error, error} ->
     # handle errors. You should get back an `Ash.Error.Forbidden` 
     # error with a nested error you can use to provide an error message
  end
end

But after trying that token in the :sign_in_with_token action, it doesn’t work.

    read :sign_in_with_token do
      # In the generated sign in components, we validate the
      # email and password directly in the LiveView
      # and generate a short-lived token that can be used to sign in over
      # a standard controller action, exchanging it for a standard token.
      # This action performs that exchange. If you do not use the generated
      # liveviews, you may remove this action, and set
      # `sign_in_tokens_enabled? false` in the password strategy.

      description "Attempt to sign in using a short-lived sign in token."
      get? true

      argument :token, :string do
        description "The short-lived sign in token."
        allow_nil? false
        sensitive? true
      end

      # validates the provided sign in token and generates a token
      prepare AshAuthentication.Strategy.Password.SignInWithTokenPreparation

      metadata :token, :string do
        description "A JWT that can be used to authenticate the user."
        allow_nil? false
      end
    end

I get the error:

password: Email or password was incorrect

I attach a screenshot of the error in ash admin.

I also tried in iex:

iex(17)> user = Ash.Query.for_read(User, :sign_in_with_token, %{token: token}) |> Ash.read_one!()

* (Ash.Error.Forbidden) 
Bread Crumbs:
  > Error returned from: Iapruebo.Accounts.User.sign_in_with_token

Forbidden Error

* Authentication failed
  (ash_authentication 4.3.5) lib/ash_authentication/errors/authentication_failed.ex:5: AshAuthentication.Errors.AuthenticationFailed."exception (overridable 2)"/1
  (ash_authentication 4.3.5) lib/ash_authentication/errors/authentication_failed.ex:22: AshAuthentication.Errors.AuthenticationFailed.exception/1
  (ash_authentication 4.3.5) lib/ash_authentication/strategies/password/sign_in_with_token_preparation.ex:52: anonymous fn/3 in AshAuthentication.Strategy.Password.SignInWithTokenPreparation.verify_token_and_constrain_query/2
  (ash 3.4.46) lib/ash/actions/read/read.ex:2364: anonymous fn/2 in Ash.Actions.Read.run_before_action/1
  (elixir 1.17.3) lib/enum.ex:4858: Enumerable.List.reduce/3
  (elixir 1.17.3) lib/enum.ex:2585: Enum.reduce_while/3
  (ash 3.4.46) lib/ash/actions/read/read.ex:2363: Ash.Actions.Read.run_before_action/1
  (ash 3.4.46) lib/ash/actions/read/read.ex:582: anonymous fn/8 in Ash.Actions.Read.do_read/5
  (ash 3.4.46) lib/ash/actions/read/read.ex:938: Ash.Actions.Read.maybe_in_transaction/3
  (ash 3.4.46) lib/ash/actions/read/read.ex:319: Ash.Actions.Read.do_run/3
  (ash 3.4.46) lib/ash/actions/read/read.ex:82: anonymous fn/3 in Ash.Actions.Read.run/3
  (ash 3.4.46) lib/ash/actions/read/read.ex:81: Ash.Actions.Read.run/3
  (ash 3.4.46) lib/ash.ex:2105: Ash.do_read_one/3
  (ash 3.4.46) lib/ash.ex:2053: Ash.read_one/2
  (ash 3.4.46) lib/ash.ex:2018: Ash.read_one!/2
  (elixir 1.17.3) src/elixir.erl:386: :elixir.eval_external_handler/3
  (stdlib 6.2) erl_eval.erl:919: :erl_eval.do_apply/7
  (stdlib 6.2) erl_eval.erl:663: :erl_eval.expr/6
  (elixir 1.17.3) src/elixir.erl:364: :elixir.eval_forms/4
    (ash 3.4.46) lib/ash/error/forbidden.ex:3: Ash.Error.Forbidden.exception/1
    (ash 3.4.46) /home/antares/proyectos/iapruebo/deps/splode/lib/splode.ex:264: Ash.Error.to_class/2
    (ash 3.4.46) lib/ash/error/error.ex:108: Ash.Error.to_error_class/2
    (ash 3.4.46) lib/ash/actions/read/read.ex:390: anonymous fn/3 in Ash.Actions.Read.do_run/3
    (ash 3.4.46) lib/ash/actions/read/read.ex:335: Ash.Actions.Read.do_run/3
    (ash 3.4.46) lib/ash/actions/read/read.ex:82: anonymous fn/3 in Ash.Actions.Read.run/3
    (ash 3.4.46) lib/ash/actions/read/read.ex:81: Ash.Actions.Read.run/3
    (ash 3.4.46) lib/ash.ex:2105: Ash.do_read_one/3
    (ash 3.4.46) lib/ash.ex:2053: Ash.read_one/2
    (ash 3.4.46) lib/ash.ex:2018: Ash.read_one!/2
    iex:17: (file)

I am sure I’m misunderstanding some principle, but I can’t figure out what.

A workflow example in the docs would be nice. Once I understand it, I can add it to the docs.

Thanks a lot!

Most Liked

sevenseacat

sevenseacat

Author of Ash Framework

Authentication tokens by default aren’t stored on the backend - they’re JWTs, that get validated on every request. If you want to store them all using the Token resource, you can enable that with store_all_tokens?

The sign_in_with_token action is only for use with AshAuthenticationPhoenix’s liveviews - if you are building an API with authentication, you can use the token directly in headers when making API requests, eg. Authentication: Bearer <token>.

zachdaniel

zachdaniel

Creator of Ash

That action takes a short lived token with the purpose of “sign_in” and exchanges it for a long lived token that is good for the standard duration.

This exists due to the implementation of liveview. The log in views are liveviews and a liveview cannot put anything into the session except on page load (at least not when we built it, although maybe something could be done with hooks, not sure) and we wanted to support immediate feedback when you submit the form. So the liveview calls the sign in with password action which validates your credentials on the spot. If they are wrong you get a standard form error, if they are right you get redirected to an endpoint with your short lived sign in token to exchange for a long lived token that gets put in the session. Because the LV couldn’t modify the session, and we don’t want to send the username and password in a redirect (we cannot it would be insecure) a sign in token was the only way to be secure while having the UX we wanted.

To get a short lived sign in token that can be used with that endpoint, you’d need to set this context:

https://github.com/team-alembic/ash_authentication_phoenix/blob/718b79213c56a63dadf0d2154d3a1d0d2863c092/lib/ash_authentication_phoenix/components/password/sign_in_form.ex#L160

In terms of “where can you read about” the docs are on hexdocs. If what you’re looking for isn’t there then it isn’t anywhere. However, it can be easy to miss the DSL docs. Scroll down and look in the bottom of the sidebar, which has docs for every option.

What specifically are you trying to do/implement? It’s possible there is some X/Y problem going on here. You’re asking about sign in tokens but they are for a single purpose which is signing in over a liveview.

Folks have implemented their own token refresh system on top of ash authentication’s token it just isn’t built in yet, so that is very much an option :slight_smile:

Perhaps ask in the discord to see if someone can share their implementation? If they do, ask them to share it here so others can find it.

zachdaniel

zachdaniel

Creator of Ash

You can also look into Ash.Seed to inset data directly into the database if you like. It supports upserts.

Where Next?

Popular in Questions Top

chokchit
** (DBConnection.ConnectionError) connection not available and request was dropped from queue after 2733ms. You can configure how long re...
New
_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New

Other popular topics Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29377 241
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 53690 245
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
AstonJ
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition) It’s been a while since we first asked this, I...
208 31142 143
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New

We're in Beta

About us Mission Statement