14 replies

Auto generated `reset_password_with_token` not loading user

Hi everyone!

I’m trying to expose the auto-generated

reset_password_with_token

reset_password_with_token

action via Ash GraphQL, but I keep getting a

not_found

not_found

error no matter what I try.

Here’s my setup (auto generated):

update :reset_password_with_token do
  argument :reset_token, :string do
    allow_nil? false
    sensitive? true
  end

  argument :password, :string do
    description "The proposed password for the user, in plain text."
    allow_nil? false
    constraints min_length: 8
    sensitive? true
  end

  argument :password_confirmation, :string do
    description "The proposed password for the user (again), in plain text."
    allow_nil? false
    sensitive? true
  end

  # validates the provided reset token
  validate AshAuthentication.Strategy.Password.ResetTokenValidation

  # validates that the password matches the confirmation
  validate AshAuthentication.Strategy.Password.PasswordConfirmationValidation

  # Hashes the provided password
  change AshAuthentication.Strategy.Password.HashPasswordChange

  # Generates an authentication token for the user
  change AshAuthentication.GenerateTokenChange
end

update :reset_password_with_token do
  argument :reset_token, :string do
    allow_nil? false
    sensitive? true
  end

  argument :password, :string do
    description "The proposed password for the user, in plain text."
    allow_nil? false
    constraints min_length: 8
    sensitive? true
  end

  argument :password_confirmation, :string do
    description "The proposed password for the user (again), in plain text."
    allow_nil? false
    sensitive? true
  end

  # validates the provided reset token
  validate AshAuthentication.Strategy.Password.ResetTokenValidation

  # validates that the password matches the confirmation
  validate AshAuthentication.Strategy.Password.PasswordConfirmationValidation

  # Hashes the provided password
  change AshAuthentication.Strategy.Password.HashPasswordChange

  # Generates an authentication token for the user
  change AshAuthentication.GenerateTokenChange
end

GraphQL block:

mutations do
update :reset_password_with_token, :reset_password_with_token do
  identity :unique_email
end

action :request_password_reset_token, :request_password_reset_token

mutations do
update :reset_password_with_token, :reset_password_with_token do
  identity :unique_email
end

action :request_password_reset_token, :request_password_reset_token

I am calling the API like so:

mutation RequestPasswordResetToken {
  requestPasswordResetToken(input: { email: "[email protected]" })
}

mutation ResetPasswordWithToken {
  resetPasswordWithToken(
    input: {
      password: "123456789"
      passwordConfirmation: "123456789"
      resetToken: "token_from_previous_step"
    }
    email: "[email protected]"
  ) {
    result {
      id
      email
    }
  }
}

mutation RequestPasswordResetToken {
  requestPasswordResetToken(input: { email: "[email protected]" })
}

mutation ResetPasswordWithToken {
  resetPasswordWithToken(
    input: {
      password: "123456789"
      passwordConfirmation: "123456789"
      resetToken: "token_from_previous_step"
    }
    email: "[email protected]"
  ) {
    result {
      id
      email
    }
  }
}

I also tried without the identity block and passing the token in headers - no luck. Shouldn’t the token automatically load the user? Or am I missing a step? Would really appreciate help from anyone who’s done this before!

Solution

seems like:

bypass action(:read) do
  authorize_if expr(id == ^actor(:id))
end

bypass action(:read) do
  authorize_if expr(id == ^actor(:id))
end

is the issue

after switching it to

authorize_if always()

authorize_if always()

it works now. I wonder how can I prevent users from reading the info of other users?

Jump to solution

Ash Framework•9mo ago•

14 replies

Geril

Auto generated `reset_password_with_token` not loading user

Hi everyone!

I’m trying to expose the auto-generated

reset_password_with_token

reset_password_with_token

action via Ash GraphQL, but I keep getting a

not_found

not_found

error no matter what I try.

Here’s my setup (auto generated):

update :reset_password_with_token do
  argument :reset_token, :string do
    allow_nil? false
    sensitive? true
  end

  argument :password, :string do
    description "The proposed password for the user, in plain text."
    allow_nil? false
    constraints min_length: 8
    sensitive? true
  end

  argument :password_confirmation, :string do
    description "The proposed password for the user (again), in plain text."
    allow_nil? false
    sensitive? true
  end

  # validates the provided reset token
  validate AshAuthentication.Strategy.Password.ResetTokenValidation

  # validates that the password matches the confirmation
  validate AshAuthentication.Strategy.Password.PasswordConfirmationValidation

  # Hashes the provided password
  change AshAuthentication.Strategy.Password.HashPasswordChange

  # Generates an authentication token for the user
  change AshAuthentication.GenerateTokenChange
end

update :reset_password_with_token do
  argument :reset_token, :string do
    allow_nil? false
    sensitive? true
  end

  argument :password, :string do
    description "The proposed password for the user, in plain text."
    allow_nil? false
    constraints min_length: 8
    sensitive? true
  end

  argument :password_confirmation, :string do
    description "The proposed password for the user (again), in plain text."
    allow_nil? false
    sensitive? true
  end

  # validates the provided reset token
  validate AshAuthentication.Strategy.Password.ResetTokenValidation

  # validates that the password matches the confirmation
  validate AshAuthentication.Strategy.Password.PasswordConfirmationValidation

  # Hashes the provided password
  change AshAuthentication.Strategy.Password.HashPasswordChange

  # Generates an authentication token for the user
  change AshAuthentication.GenerateTokenChange
end

GraphQL block:

mutations do
update :reset_password_with_token, :reset_password_with_token do
  identity :unique_email
end

action :request_password_reset_token, :request_password_reset_token

mutations do
update :reset_password_with_token, :reset_password_with_token do
  identity :unique_email
end

action :request_password_reset_token, :request_password_reset_token

I am calling the API like so:

mutation RequestPasswordResetToken {
  requestPasswordResetToken(input: { email: "[email protected]" })
}

mutation ResetPasswordWithToken {
  resetPasswordWithToken(
    input: {
      password: "123456789"
      passwordConfirmation: "123456789"
      resetToken: "token_from_previous_step"
    }
    email: "[email protected]"
  ) {
    result {
      id
      email
    }
  }
}

mutation RequestPasswordResetToken {
  requestPasswordResetToken(input: { email: "[email protected]" })
}

mutation ResetPasswordWithToken {
  resetPasswordWithToken(
    input: {
      password: "123456789"
      passwordConfirmation: "123456789"
      resetToken: "token_from_previous_step"
    }
    email: "[email protected]"
  ) {
    result {
      id
      email
    }
  }
}

Solution

seems like:

bypass action(:read) do
  authorize_if expr(id == ^actor(:id))
end

bypass action(:read) do
  authorize_if expr(id == ^actor(:id))
end

is the issue

after switching it to

authorize_if always()

authorize_if always()

it works now. I wonder how can I prevent users from reading the info of other users?

Jump to solution

Auto generated `reset_password_with_token` not loading user

Auto generated `reset_password_with_token` not loading user

Similar Threads

Similar Threads

Similar Threads