Trouble setting up Ash Authentication with Google

I’m newer to Elixir/Phoenix in general, but decided to give Ash a go because I really like the philosophy. However, I’m running into trouble setting up Google Oauth with Ash Authentication.

Actually, I set up magic link first using Igniter, but then realized in production, I can’t send emails yet, so I added password authentication. (This seemed to break magic link )

Now I’m trying to add Google, as I want to build a prototype to read emails. After following instructions, the Sign in with Google button shows up, but clicking it just returns me back to /sign-in page.

There are no errors in the console… and this is where I’m a bit stuck with the Ash philosophy. If I’m declaring everything, how do I trace the code to find out what’s wrong? Am I just guessing which attributes are missing?

Here is my User resource:

defmodule Playground.Accounts.User do
  use Ash.Resource,
    otp_app: :playground,
    domain: Playground.Accounts,
    authorizers: [Ash.Policy.Authorizer],
    extensions: [AshAuthentication],
    data_layer: AshSqlite.DataLayer

  authentication do
    add_ons do
      log_out_everywhere do
        apply_on_password_change?(true)
      end

      confirmation :confirm_new_user do
        monitor_fields [:email]
        confirm_on_create? true
        confirm_on_update? false

        auto_confirm_actions [
          :register_with_google,
          :sign_in_with_magic_link,
          :reset_password_with_token
        ]

        sender Playground.Accounts.User.Senders.SendNewUserConfirmationEmail
      end
    end

    tokens do
      enabled? true
      token_resource Playground.Accounts.Token
      signing_secret Playground.Secrets
      store_all_tokens? true
      require_token_presence_for_authentication? true
    end

    strategies do
      magic_link do
        identity_field :email
        registration_enabled? true

        sender Playground.Accounts.User.Senders.SendMagicLinkEmail
      end

      password :password do
        identity_field :email

        resettable do
          sender Playground.Accounts.User.Senders.SendPasswordResetEmail
          # these configurations will be the default in a future release
          password_reset_action_name :reset_password_with_token
          request_password_reset_action_name :request_password_reset_token
        end
      end

      google do
        client_id Playground.Secrets
        redirect_uri Playground.Secrets
        client_secret Playground.Secrets
      end
    end
  end

  sqlite do
    table "users"
    repo Playground.Repo
  end

  actions do
    defaults [:read]

    read :get_by_subject do
      description "Get a user by the subject claim in a JWT"
      argument :subject, :string, allow_nil?: false
      get? true
      prepare AshAuthentication.Preparations.FilterBySubject
    end

    read :get_by_email do
      description "Looks up a user by their email"
      get? true

      argument :email, :ci_string do
        allow_nil? false
      end

      filter expr(email == ^arg(:email))
    end

    create :sign_in_with_magic_link do
      description "Sign in or register a user with magic link."

      argument :token, :string do
        description "The token from the magic link that was sent to the user"
        allow_nil? false
      end

      upsert? true
      upsert_identity :unique_email
      upsert_fields [:email, :confirmed_at]

      # Uses the information from the token to create or sign in the user
      change AshAuthentication.Strategy.MagicLink.SignInChange

      metadata :token, :string do
        allow_nil? false
      end
    end

    action :request_magic_link do
      argument :email, :ci_string do
        allow_nil? false
      end

      run AshAuthentication.Strategy.MagicLink.Request
    end

    update :change_password do
      # Use this action to allow users to change their password by providing
      # their current password and a new password.

      require_atomic? false
      accept []
      argument :current_password, :string, sensitive?: true, allow_nil?: false
      argument :password, :string, sensitive?: true, allow_nil?: false
      argument :password_confirmation, :string, sensitive?: true, allow_nil?: false

      validate confirm(:password, :password_confirmation)

      validate {AshAuthentication.Strategy.Password.PasswordValidation,
                strategy_name: :password, password_argument: :current_password}

      change {AshAuthentication.Strategy.Password.HashPasswordChange, strategy_name: :password}
    end

    read :sign_in_with_password do
      description "Attempt to sign in using a email and password."
      get? true

      argument :email, :ci_string do
        description "The email to use for retrieving the user."
        allow_nil? false
      end

      argument :password, :string do
        description "The password to check for the matching user."
        allow_nil? false
        sensitive? true
      end

      # validates the provided email and password and generates a token
      prepare AshAuthentication.Strategy.Password.SignInPreparation

      metadata :token, :string do
        description "A JWT that can be used to authenticate the user."
        allow_nil? false
      end
    end

    read :sign_in_with_token do
      # In the generated sign in components, we validate the
      # email and password directly in the LiveView
      # and generate a short-lived token that can be used to sign in over
      # a standard controller action, exchanging it for a standard token.
      # This action performs that exchange. If you do not use the generated
      # liveviews, you may remove this action, and set
      # `sign_in_tokens_enabled? false` in the password strategy.

      description "Attempt to sign in using a short-lived sign in token."
      get? true

      argument :token, :string do
        description "The short-lived sign in token."
        allow_nil? false
        sensitive? true
      end

      # validates the provided sign in token and generates a token
      prepare AshAuthentication.Strategy.Password.SignInWithTokenPreparation

      metadata :token, :string do
        description "A JWT that can be used to authenticate the user."
        allow_nil? false
      end
    end

    create :register_with_password do
      description "Register a new user with a email and password."

      argument :email, :ci_string do
        allow_nil? false
      end

      argument :password, :string do
        description "The proposed password for the user, in plain text."
        allow_nil? false
        constraints min_length: 8
        sensitive? true
      end

      argument :password_confirmation, :string do
        description "The proposed password for the user (again), in plain text."
        allow_nil? false
        sensitive? true
      end

      # Sets the email from the argument
      change set_attribute(:email, arg(:email))

      # Hashes the provided password
      change AshAuthentication.Strategy.Password.HashPasswordChange

      # Generates an authentication token for the user
      change AshAuthentication.GenerateTokenChange

      # validates that the password matches the confirmation
      validate AshAuthentication.Strategy.Password.PasswordConfirmationValidation

      metadata :token, :string do
        description "A JWT that can be used to authenticate the user."
        allow_nil? false
      end
    end

    action :request_password_reset_token do
      description "Send password reset instructions to a user if they exist."

      argument :email, :ci_string do
        allow_nil? false
      end

      # creates a reset token and invokes the relevant senders
      run {AshAuthentication.Strategy.Password.RequestPasswordReset, action: :get_by_email}
    end

    update :reset_password_with_token do
      argument :reset_token, :string do
        allow_nil? false
        sensitive? true
      end

      argument :password, :string do
        description "The proposed password for the user, in plain text."
        allow_nil? false
        constraints min_length: 8
        sensitive? true
      end

      argument :password_confirmation, :string do
        description "The proposed password for the user (again), in plain text."
        allow_nil? false
        sensitive? true
      end

      # validates the provided reset token
      validate AshAuthentication.Strategy.Password.ResetTokenValidation

      # validates that the password matches the confirmation
      validate AshAuthentication.Strategy.Password.PasswordConfirmationValidation

      # Hashes the provided password
      change AshAuthentication.Strategy.Password.HashPasswordChange

      # Generates an authentication token for the user
      change AshAuthentication.GenerateTokenChange
    end

    create :register_with_google do
      argument :user_info, :map, allow_nil?: false
      argument :oauth_tokens, :map, allow_nil?: false
      upsert? true
      upsert_identity :unique_email

      change AshAuthentication.GenerateTokenChange

      # Required if you have the `identity_resource` configuration enabled.
      change AshAuthentication.Strategy.OAuth2.IdentityChange

      change fn changeset, _ ->
        user_info = Ash.Changeset.get_argument(changeset, :user_info)

        Ash.Changeset.change_attributes(changeset, Map.take(user_info, ["email"]))
      end

      # Required if you're using the password & confirmation strategies
      upsert_fields []
      change set_attribute(:confirmed_at, &DateTime.utc_now/0)

      change after_action(fn _changeset, user, _context ->
               case user.confirmed_at do
                 nil -> {:error, "Unconfirmed user exists already"}
                 _ -> {:ok, user}
               end
             end)
    end
  end

  policies do
    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
      authorize_if always()
    end

    policy always() do
      forbid_if always()
    end
  end

  attributes do
    uuid_primary_key :id

    attribute :email, :ci_string do
      allow_nil? false
      public? true
    end

    attribute :hashed_password, :string do
      allow_nil? true
      sensitive? true
    end
  end

  identities do
    identity :unique_email, [:email]
  end
end

Much appreciate any insights.

The first step would be looking at your Phoenix server logs - what’s happening when you click sign in? Is it redirecting somewhere and then redirecting back to your app?

The second part would probably be to turn on debugging for authentication failures in development - see AshAuthentication.Debug — ash_authentication v4.5.2 for details.

As to magic link being broken, we’d probably need some more information about how exactly it’s broken before we can start to diagnose how to fix it!

Ah, the debug would be very helpful! Thank you for that.

There’s a lot of documentation for Ash and it can be a bit overwhelming, but I’m getting there.

Looks like the Magic Link issue is only when trying to log in to accounts that aren’t confirmed. Getting the following error:

[error] ** (Ash.Error.Unknown) 
Bread Crumbs:
  > Exception raised in: Playground.Accounts.User.sign_in_with_magic_link

Unknown Error

* ** (CaseClauseError) no case clause matching: {:ok, []}
  (ash_sqlite 0.2.3) lib/data_layer.ex:1213: AshSqlite.DataLayer.upsert/3
  (ash 3.4.64) lib/ash/actions/create/create.ex:377: anonymous fn/6 in Ash.Actions.Create.commit/3
  (ash 3.4.64) lib/ash/changeset/changeset.ex:4021: Ash.Changeset.run_around_actions/2
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3699: anonymous fn/2 in Ash.Changeset.transaction_hooks/2
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3609: Ash.Changeset.with_hooks/3
  (ash 3.4.64) lib/ash/actions/create/create.ex:260: Ash.Actions.Create.commit/3
  (ash 3.4.64) lib/ash/actions/create/create.ex:132: Ash.Actions.Create.do_run/4
  (ash 3.4.64) lib/ash/actions/create/create.ex:50: Ash.Actions.Create.run/4
  (ash_authentication 4.5.1) lib/ash_authentication/strategies/magic_link/actions.ex:62: AshAuthentication.Strategy.MagicLink.Actions.sign_in/3
  (ash_authentication 4.5.1) lib/ash_authentication/strategies/magic_link/plug.ex:44: AshAuthentication.Strategy.MagicLink.Plug.sign_in/2
  (ash_authentication 4.5.1) lib/ash_authentication/plug/dispatcher.ex:29: AshAuthentication.Plug.Dispatcher.call/2
  (phoenix 1.7.18) lib/phoenix/router/route.ex:42: Phoenix.Router.Route.call/2
  (phoenix 1.7.18) lib/phoenix/router.ex:484: Phoenix.Router.__call__/5
  (playground 0.1.0) lib/playground_web/endpoint.ex:1: PlaygroundWeb.Endpoint.plug_builder_call/2
  (playground 0.1.0) deps/plug/lib/plug/debugger.ex:136: PlaygroundWeb.Endpoint."call (overridable 3)"/2
  (playground 0.1.0) lib/playground_web/endpoint.ex:1: PlaygroundWeb.Endpoint.call/2
  (phoenix 1.7.18) lib/phoenix/endpoint/sync_code_reload_plug.ex:22: Phoenix.Endpoint.SyncCodeReloadPlug.do_call/4
  (bandit 1.6.6) lib/bandit/pipeline.ex:129: Bandit.Pipeline.call_plug!/2
  (bandit 1.6.6) lib/bandit/pipeline.ex:40: Bandit.Pipeline.run/4
  (bandit 1.6.6) lib/bandit/http1/handler.ex:12: Bandit.HTTP1.Handler.handle_data/3
    (ash_sqlite 0.2.3) lib/data_layer.ex:1213: AshSqlite.DataLayer.upsert/3
    (ash 3.4.64) lib/ash/actions/create/create.ex:377: anonymous fn/6 in Ash.Actions.Create.commit/3
    (ash 3.4.64) lib/ash/changeset/changeset.ex:4021: Ash.Changeset.run_around_actions/2
    (ash 3.4.64) lib/ash/changeset/changeset.ex:3699: anonymous fn/2 in Ash.Changeset.transaction_hooks/2
    (ash 3.4.64) lib/ash/changeset/changeset.ex:3609: Ash.Changeset.with_hooks/3
    (ash 3.4.64) lib/ash/actions/create/create.ex:260: Ash.Actions.Create.commit/3
    (ash 3.4.64) lib/ash/actions/create/create.ex:132: Ash.Actions.Create.do_run/4
    (ash 3.4.64) lib/ash/actions/create/create.ex:50: Ash.Actions.Create.run/4
    (ash_authentication 4.5.1) lib/ash_authentication/strategies/magic_link/actions.ex:62: AshAuthentication.Strategy.MagicLink.Actions.sign_in/3
    (ash_authentication 4.5.1) lib/ash_authentication/strategies/magic_link/plug.ex:44: AshAuthentication.Strategy.MagicLink.Plug.sign_in/2
    (ash_authentication 4.5.1) lib/ash_authentication/plug/dispatcher.ex:29: AshAuthentication.Plug.Dispatcher.call/2
    (phoenix 1.7.18) lib/phoenix/router/route.ex:42: Phoenix.Router.Route.call/2
    (phoenix 1.7.18) lib/phoenix/router.ex:484: Phoenix.Router.__call__/5
    (playground 0.1.0) lib/playground_web/endpoint.ex:1: PlaygroundWeb.Endpoint.plug_builder_call/2
    (playground 0.1.0) deps/plug/lib/plug/debugger.ex:136: PlaygroundWeb.Endpoint."call (overridable 3)"/2
    (playground 0.1.0) lib/playground_web/endpoint.ex:1: PlaygroundWeb.Endpoint.call/2
    (phoenix 1.7.18) lib/phoenix/endpoint/sync_code_reload_plug.ex:22: Phoenix.Endpoint.SyncCodeReloadPlug.do_call/4
    (bandit 1.6.6) lib/bandit/pipeline.ex:129: Bandit.Pipeline.call_plug!/2
    (bandit 1.6.6) lib/bandit/pipeline.ex:40: Bandit.Pipeline.run/4
    (bandit 1.6.6) lib/bandit/http1/handler.ex:12: Bandit.HTTP1.Handler.handle_data/3

I found the Confirmation Tutorial. I’m guessing this is the issue, although the error is a bit cryptic.

Will try one of the ways to handle magic link confirmation after lunch!

This definitely looks like a bug. Please open a bug showing that stack trace on ash_sqlite

Done!

Alright, going back to debugging Google Signin…

Turned on debugging for authentication failures, but no errors.
Looks like it just hits the /auth/user/google route and redirects back to the sign in page.

[info] GET /auth/user/google
[debug] Processing with AshAuthentication.Phoenix.StrategyRouter
  Parameters: %{}
  Pipelines: [:browser]
[info] Sent 302 in 286µs
[info] GET /sign-in
[debug] Processing with AshAuthentication.Phoenix.SignInLive.sign_in/2
  Parameters: %{}
  Pipelines: [:browser]
[info] Sent 200 in 5ms
[info] CONNECTED TO Phoenix.LiveView.Socket in 16µs
  Transport: :websocket
  Serializer: Phoenix.Socket.V2.JSONSerializer
  Parameters: %{"_csrf_token" => "QVwzNQcrHnQoBhkoGCFHcVYZcEhTCHMH6qzDkrX6aBNb5Q34oX4qf8Co", "_live_referer" => "undefined", "_mount_attempts" => "0", "_mounts" => "0", "_track_static" => %{"0" => "http://localhost:4000/assets/app.css", "1" => "http://localhost:4000/assets/app.js"}, "vsn" => "2.0.0"}
[debug] MOUNT AshAuthentication.Phoenix.SignInLive
  Parameters: %{}
  Session: %{"_csrf_token" => "w-IqlYFBIDWJ-ptE9AD9500h", "auth_routes_prefix" => "/auth", "context" => nil, "gettext_fn" => nil, "otp_app" => nil, "overrides" => [PlaygroundWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default], "path" => "/sign-in", "register_path" => "/register", "reset_path" => "/reset", "tenant" => nil}
[debug] Replied in 179µs
[debug] HANDLE PARAMS in AshAuthentication.Phoenix.SignInLive
  Parameters: %{}
[debug] Replied in 37µs

Not sure if this is how it’s supposed to show up, but the button is grey compared to the other signin buttons.

image640×360 11.5 KB

Alright, so that first issue you mentioned should be fixed, will be released next week.

Could I see how your router is set up? Are you getting into your AuthController at all? i.e in the failure callback?

You guys are amazing! Thank you.

My router.ex:

defmodule PlaygroundWeb.Router do
  use PlaygroundWeb, :router

  use AshAuthentication.Phoenix.Router

  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_live_flash
    plug :put_root_layout, html: {PlaygroundWeb.Layouts, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug :load_from_session
  end

  pipeline :api do
    plug :accepts, ["json"]
    plug :load_from_bearer
  end

  scope "/", PlaygroundWeb do
    pipe_through :browser

    get "/", PageController, :home

    ash_authentication_live_session :authenticated_routes,
      on_mount: {PlaygroundWeb.LiveUserAuth, :live_user_required} do
      # in each liveview, add one of the following at the top of the module:
      #
      # If an authenticated user must be present:
      # on_mount {PlaygroundWeb.LiveUserAuth, :live_user_required}
      #
      # If an authenticated user *may* be present:
      # on_mount {PlaygroundWeb.LiveUserAuth, :live_user_optional}
      #
      # If an authenticated user must *not* be present:
      # on_mount {PlaygroundWeb.LiveUserAuth, :live_no_user}

      live "/tts", TTSLive
      live "/scraper", ScraperLive
      live "/domain", DynamicDomainLive

      live "/chat", ChatLive
      live "/voice", VoiceLive
    end
  end

  scope "/", PlaygroundWeb do
    pipe_through :browser

    auth_routes AuthController, Playground.Accounts.User, path: "/auth"
    sign_out_route AuthController

    # Remove these if you'd like to use your own authentication views
    sign_in_route register_path: "/register",
                  reset_path: "/reset",
                  auth_routes_prefix: "/auth",
                  on_mount: [{PlaygroundWeb.LiveUserAuth, :live_no_user}],
                  overrides: [
                    PlaygroundWeb.AuthOverrides,
                    AshAuthentication.Phoenix.Overrides.Default
                  ]

    # Remove this if you do not want to use the reset password feature
    reset_route auth_routes_prefix: "/auth",
                overrides: [
                  PlaygroundWeb.AuthOverrides,
                  AshAuthentication.Phoenix.Overrides.Default
                ]

    ash_authentication_live_session :user_account_routes,
      on_mount: {PlaygroundWeb.LiveUserAuth, :live_user_required} do
      live "/account", AccountLive
    end
  end

  # Other scopes may use custom stacks.
  # scope "/api", PlaygroundWeb do
  #   pipe_through :api
  # end

  # Enable LiveDashboard and Swoosh mailbox preview in development
  if Application.compile_env(:playground, :dev_routes) do
    # If you want to use the LiveDashboard in production, you should put
    # it behind authentication and allow only admins to access it.
    # If your application does not have an admins-only section yet,
    # you can use Plug.BasicAuth to set up some basic authentication
    # as long as you are also using SSL (which you should anyway).
    import Phoenix.LiveDashboard.Router

    scope "/dev" do
      pipe_through :browser

      live_dashboard "/dashboard", metrics: PlaygroundWeb.Telemetry
      forward "/mailbox", Plug.Swoosh.MailboxPreview
    end
  end
end

Here’s the log:

[info] GET /auth/user/google
[debug] Processing with AshAuthentication.Phoenix.StrategyRouter
  Parameters: %{}
  Pipelines: [:browser]
[info] Sent 302 in 315µs
[info] GET /sign-in
[debug] Processing with AshAuthentication.Phoenix.SignInLive.sign_in/2
  Parameters: %{}
  Pipelines: [:browser]
[info] Sent 200 in 5ms
[info] CONNECTED TO Phoenix.LiveView.Socket in 16µs
  Transport: :websocket
  Serializer: Phoenix.Socket.V2.JSONSerializer
  Parameters: %{"_csrf_token" => "dBYwBBd4P2tyCRMkPGZbBgQ-HQc0GyN77AoltME8KAalN-vKjgSTulGM", "_live_referer" => "undefined", "_mount_attempts" => "0", "_mounts" => "0", "_track_static" => %{"0" => "http://localhost:4000/assets/app.css", "1" => "http://localhost:4000/assets/app.js"}, "vsn" => "2.0.0"}
[debug] MOUNT AshAuthentication.Phoenix.SignInLive
  Parameters: %{}
  Session: %{"_csrf_token" => "CW_hc5zS9HrHrK-MnYNSAwd6", "auth_routes_prefix" => "/auth", "context" => nil, "gettext_fn" => nil, "otp_app" => nil, "overrides" => [PlaygroundWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default], "path" => "/sign-in", "register_path" => "/register", "reset_path" => "/reset", "tenant" => nil}
[debug] Replied in 226µs
[debug] HANDLE PARAMS in AshAuthentication.Phoenix.SignInLive
  Parameters: %{}
[debug] Replied in 45µs

I’m… not sure if it goes into AuthController. It looks like it hits the /auth/user/google route and just redirects.

Here’s my mix phx.routes:

  GET   /                                      PlaygroundWeb.PageController :home
  GET   /tts                                   PlaygroundWeb.TTSLive nil
  GET   /scraper                               PlaygroundWeb.ScraperLive nil
  GET   /domain                                PlaygroundWeb.DynamicDomainLive nil
  GET   /chat                                  PlaygroundWeb.ChatLive nil
  GET   /voice                                 PlaygroundWeb.VoiceLive nil
  *     /auth                                  AshAuthentication.Phoenix.StrategyRouter [path: "/auth", as: :auth, controller: PlaygroundWeb.AuthController, not_found_plug: nil, resources: [Playground.Accounts.User]]
  GET   /sign-out                              PlaygroundWeb.AuthController :sign_out
  GET   /sign-in                               AshAuthentication.Phoenix.SignInLive :sign_in
  GET   /reset                                 AshAuthentication.Phoenix.SignInLive :reset
  GET   /register                              AshAuthentication.Phoenix.SignInLive :register
  GET   /password-reset/:token                 AshAuthentication.Phoenix.ResetLive :reset
  GET   /account                               PlaygroundWeb.AccountLive nil
  GET   /dev/dashboard/css-:md5                Phoenix.LiveDashboard.Assets :css
  GET   /dev/dashboard/js-:md5                 Phoenix.LiveDashboard.Assets :js
  GET   /dev/dashboard                         Phoenix.LiveDashboard.PageLive :home
  GET   /dev/dashboard/:page                   Phoenix.LiveDashboard.PageLive :page
  GET   /dev/dashboard/:node/:page             Phoenix.LiveDashboard.PageLive :page
  *     /dev/mailbox                           Plug.Swoosh.MailboxPreview []
  WS    /live/websocket                        Phoenix.LiveView.Socket
  GET   /live/longpoll                         Phoenix.LiveView.Socket
  POST  /live/longpoll                         Phoenix.LiveView.Socket

  GET  /auth/user/confirm_new_user            AshAuthentication.AddOn.Confirmation
  GET  /auth/user/google                      AshAuthentication.Strategy.OAuth2
  POST  /auth/user/google/callback             AshAuthentication.Strategy.OAuth2
  GET  /auth/user/password/sign_in_with_token  AshAuthentication.Strategy.Password
  POST  /auth/user/password/register           AshAuthentication.Strategy.Password
  POST  /auth/user/password/sign_in            AshAuthentication.Strategy.Password
  POST  /auth/user/password/reset_request      AshAuthentication.Strategy.Password
  POST  /auth/user/password/reset              AshAuthentication.Strategy.Password
  POST  /auth/user/magic_link/request          AshAuthentication.Strategy.MagicLink
  GET  /auth/user/magic_link                  AshAuthentication.Strategy.MagicLink

The first thing to do would be to drop some dbg or IO.inspect calls in the AuthController success and failure callbacks to see if its getting there, and if its getting into the failure callback to see what the error is

Will do. Thanks for being patient with a new Elixir developer.

Of course! Welcome to Elixir We’ll get you sorted

Well, after struggling a bit, looks like Claude figured it out for me.

I added IO.inspect statements to AuthController failure callback and it said the secrets weren’t set.

Turns out I was using Application.fetch_env! with a ! and it wasn’t returning the secret in a {:ok, <secret>} format.