24 replies

session_identifier compilation on AshAuthentication update

When updating AshAuthenticationPhoenix for the security advisory, I also updated AshAuthentication, and that also produces a compile-time error, which is not mentioned in the advisory.

    ** (Spark.Error.DslError) authentication -> session_identifier:
  Must set `authentication.session_identifier` to either `:jti` or `:unsafe`.

If you are seeing this error while upgrading ash_authentication, be aware that
updating this setting will log out all of your users.

When set to `:unsafe`, tokens are not revoked when the user logs out.
When set to `:jti`, we use this information to revoke tokens on logout.

    ** (Spark.Error.DslError) authentication -> session_identifier:
  Must set `authentication.session_identifier` to either `:jti` or `:unsafe`.

If you are seeing this error while upgrading ash_authentication, be aware that
updating this setting will log out all of your users.

When set to `:unsafe`, tokens are not revoked when the user logs out.
When set to `:jti`, we use this information to revoke tokens on logout.

Does this just go in the top level of the

authentication do

authentication do

block? i.e.

  authentication do
    session_identifier :jti
    strategies do
      password :password do
        identity_field :email
        hashed_password_field :hashed_password
      end
    end
  end

  authentication do
    session_identifier :jti
    strategies do
      password :password do
        identity_field :email
        hashed_password_field :hashed_password
      end
    end
  end

Solution

the preferred solution would be to turn on

require_token_presence_for_authentication? true

require_token_presence_for_authentication? true

Jump to solution

Ash Framework•9mo ago•

24 replies

aidalgol

session_identifier compilation on AshAuthentication update

When updating AshAuthenticationPhoenix for the security advisory, I also updated AshAuthentication, and that also produces a compile-time error, which is not mentioned in the advisory.

    ** (Spark.Error.DslError) authentication -> session_identifier:
  Must set `authentication.session_identifier` to either `:jti` or `:unsafe`.

If you are seeing this error while upgrading ash_authentication, be aware that
updating this setting will log out all of your users.

When set to `:unsafe`, tokens are not revoked when the user logs out.
When set to `:jti`, we use this information to revoke tokens on logout.

    ** (Spark.Error.DslError) authentication -> session_identifier:
  Must set `authentication.session_identifier` to either `:jti` or `:unsafe`.

If you are seeing this error while upgrading ash_authentication, be aware that
updating this setting will log out all of your users.

When set to `:unsafe`, tokens are not revoked when the user logs out.
When set to `:jti`, we use this information to revoke tokens on logout.

Does this just go in the top level of the

authentication do

authentication do

block? i.e.

  authentication do
    session_identifier :jti
    strategies do
      password :password do
        identity_field :email
        hashed_password_field :hashed_password
      end
    end
  end

  authentication do
    session_identifier :jti
    strategies do
      password :password do
        identity_field :email
        hashed_password_field :hashed_password
      end
    end
  end

Solution

the preferred solution would be to turn on

require_token_presence_for_authentication? true

require_token_presence_for_authentication? true

Jump to solution

session_identifier compilation on AshAuthentication update

session_identifier compilation on AshAuthentication update

Similar Threads

Similar Threads

Similar Threads