AshAuthentication require confirmation not working
I am going through the Confirmation Tutorial, and even though I have added
require_confirmed_with to the password strategy block, I can still log in before visiting the confirmation URL in the email. Worth noting that I started adding AshAuthentication to my application before the Igniter installers were added, so my resources may be missing some optional-but-recommended blocks that the installers add.17 Replies
I posted this 1 minute before the release-day announcements, so I'll go update my deps now. 😆
Now running latest version of all ash deps. Same issue.
What does your code look like?
Like the DSL I mean
What did you set the value of
:require_confirmed_with to?I attached the source files for my user and token resources.
They show up inline on the web client, but it might be more of a pain on mobile.
Ah, I see
Um... hm.
Does the user in question have the confirmation attribute set?
Or is it
nil?
And you recompiled etc to make sure it's not like a build issue or something?It's set to
nil. I don't think I tried recompiling after running the ash.codegen and ash.reset mix tasks. I'll try that now.I'm...not actually sure that code has ever been doing the right thing on registration.
I suspect people were solving for it by not placing the user in the session on registration
GitHub
ash_authentication/lib/ash_authentication/strategies/password/actio...
The Ash Authentication framework. Contribute to team-alembic/ash_authentication development by creating an account on GitHub.
That needs to do the confirmation logic that sign in does.
@jart ^
I think most people are rolling their own confirmation requirements with a plug actually TBH
It's a better UX when you let the user be signed in, but take them to a page asking them to confirm their account
That's likely why no one noticed
Ah
I'll fix that behavior though.
Nope, I won't 😄
I'll just have to update the docs
Essentially, post-registration you still need to be able to get the user back who just registered
So we can't return an error
It also seems app-dependant what you want to do if the user is not confirmed.
so its up to you in your success callback to decide whether or not to put the user into the session
This is now explained 😄
Thanks for bringing it up. You know it needs docs when even I'm confused about how its supposed to work 😜
Note that, on registration, the user will still be provided to your success callback in your AuthController (when using AshAuthenticationPhoenix). It is your responsibility to determine what to do post-registration. This typically means modifying the default not to call store_in_session if the activity is for registration.Not sure that will work. From my app's log (messages from AshPostgres omitted), (The line
[debug] [auth: :success, activity: {:password, :sign_in_with_token}] is from my AuthController.)
I think you'd still do the check in AuthController, but you would have to look at the user record's confirmed_at attribute, rather than the activity parameter.
Which would also cover both registering and signing-in paths.Hm...yeah. I guess when you have sign in tokens enabled, it doesn't tell you if the user just registered or not 😅
Will think on it
Okay, @aidalgol I think I might see whats going on. Do you have
sign_in_tokens_enabled?Solution
Okay, fix released, docs updated
I haven't enabled it explicitly anywhere. Is that an ash config parameter, or something I'd set on the resource?
Never mind, I found it in the docs. I should really finish my morning coffee before responding to messages. 🫠So yes, it is enabled, because it defaults to
true.Thanks for your help on this.