Custom Authentication Flow with AshAuthentication in Phoenix + React (Inertia.js)
Hi everyone! I've been implementing a custom authentication flow using AshAuthentication with Phoenix and React via Inertia.js. I wanted to share my approach and ask for feedback, especially regarding password reset functionality.
Working Authentication Actions
So far, I've successfully implemented the following actions defined by the AshAuthentication generator in my User Resource:
Registration Controller
Here's how I'm handling registration:
Login Controller
And here's the login implementation:
Password Reset Flow
I've implemented the first part of the password reset flow - requesting a reset token:
Issue with Password Reset
I'm trying to implement the controller to update the password, but I'm getting an error:
The error I'm getting is:
It seems like there's an issue with a "primary key", but I'm not sure what this means since I am passing all the expected parameters (password, password_confirmation, token).
So, how should I properly implement this?
Thanks in advance for any help or insights!
10 Replies
I believe that you are just missing the first argument to
Accounts.reset_password_with_token
which is the user or an identifier for the user
i.e Accounts.reset_password_with_token(user, params)
or Accounts.reset_password_with_token(user_id, params)
As that is an update action, it takes the thing being updated as the first argument 🙂Yeah... I was missing that, silly mistake on my part.
So after some research I ended up with the following implementation:
What do you think about it?
That seems reasonable to me 🙂
Cool. I'd like your input on the final piece of my authentication flow - confirming new users.
I'm requiring users to confirm their accounts in order to log in. This is my implementation so far:
And the controller using these functions:
What do you think? It works but I think there might be a more "Ash" way to do it
The only thing I might suggest is to have a generic action that does those multistep flows
I found myself having to set
authorize?: false
almost on every function I have to use. Is this a normal pattern or am I not getting something here?
I think I could skip this setting authorize: :when_requested
option in the authorization
block in my User
resource but I read that this is not best practice.
Could you please guide me if this is how it's supposed to be?So it is "working as intended"
There are policies on your user resource that allow AshAuthentication to call these actions, which it does by setting a special context.
You could make a custom "system actor" for example, or set a context of your own that allows it to be performed
If you do end up using authorize? false, don't do it using default options. Add that option at the places where it's called to make it clear "this bypasses resource policies"
I'll have to read more about authorization and policies to better understand all of this.
Alright. My custom auth is implemented.
In case anyone wants to check out the commit: https://github.com/joangavelan/contactly_ash/commit/d4c0c812bcfb6a83558581bac14e87f59221d965
Thanks a lot Zach for your help. I'll mark this as solved.
Yes, definitely read through the policies guide 🙂