57 replies

Ash Policies around :change_password action

I have a

User

User

resource with (mostly) the default

update :change_password

update :change_password

action generated by the igniter installer,

update :change_password do
  # Use this action to allow users to change their password by providing
  # their current password and a new password.

  require_atomic? false
  accept []
  argument :current_password, :string, sensitive?: true, allow_nil?: false

  argument :password, :string,
    sensitive?: true,
    allow_nil?: false,
    constraints: [min_length: 8]

  argument :password_confirmation, :string, sensitive?: true, allow_nil?: false

  validate confirm(:password, :password_confirmation)

  validate {AshAuthentication.Strategy.Password.PasswordValidation,
            strategy_name: :password, password_argument: :current_password}

  change {AshAuthentication.Strategy.Password.HashPasswordChange, strategy_name: :password}

  # validates that the password meets our password policy
  if Application.compile_env(:paddy, :enforce_password_policy) do
    validate MyApp.Validations.PasswordAllowed, before_action?: true
  end
end

update :change_password do
  # Use this action to allow users to change their password by providing
  # their current password and a new password.

  require_atomic? false
  accept []
  argument :current_password, :string, sensitive?: true, allow_nil?: false

  argument :password, :string,
    sensitive?: true,
    allow_nil?: false,
    constraints: [min_length: 8]

  argument :password_confirmation, :string, sensitive?: true, allow_nil?: false

  validate confirm(:password, :password_confirmation)

  validate {AshAuthentication.Strategy.Password.PasswordValidation,
            strategy_name: :password, password_argument: :current_password}

  change {AshAuthentication.Strategy.Password.HashPasswordChange, strategy_name: :password}

  # validates that the password meets our password policy
  if Application.compile_env(:paddy, :enforce_password_policy) do
    validate MyApp.Validations.PasswordAllowed, before_action?: true
  end
end

And a LiveComponent (attached) to provide a form to allow the user to change their password. When I start typing in the form, the validation event is triggered, and the LiveView crashes because of an Ash error,

** (Ash.Error.Unknown) 
Bread Crumbs:
  > action validation {AshAuthentication.Strategy.Password.PasswordValidation, [strategy_name: :password, password_argument: :current_password]}
  > building changeset for MyApp.Accounts.User.change_password

** (Ash.Error.Unknown) 
Bread Crumbs:
  > action validation {AshAuthentication.Strategy.Password.PasswordValidation, [strategy_name: :password, password_argument: :current_password]}
  > building changeset for MyApp.Accounts.User.change_password

For the LiveViews provided by AshAuthenticationPhoenix, the

AshAuthentication.Checks.AshAuthenticationInteraction

AshAuthentication.Checks.AshAuthenticationInteraction

bypass is satisfied, but here I am running actions directly from my code. What would be a safe way to allow access to the password fields for only the password-changen workflow, without exposing it entirely?

SAKMWzE.ex1.68KB

Solution

Yes, you could set up a policy like that

Jump to solution

Ash Framework•8mo ago•

57 replies

aidalgol

Ash Policies around :change_password action

I have a

User

User

resource with (mostly) the default

update :change_password

update :change_password

action generated by the igniter installer,

update :change_password do
  # Use this action to allow users to change their password by providing
  # their current password and a new password.

  require_atomic? false
  accept []
  argument :current_password, :string, sensitive?: true, allow_nil?: false

  argument :password, :string,
    sensitive?: true,
    allow_nil?: false,
    constraints: [min_length: 8]

  argument :password_confirmation, :string, sensitive?: true, allow_nil?: false

  validate confirm(:password, :password_confirmation)

  validate {AshAuthentication.Strategy.Password.PasswordValidation,
            strategy_name: :password, password_argument: :current_password}

  change {AshAuthentication.Strategy.Password.HashPasswordChange, strategy_name: :password}

  # validates that the password meets our password policy
  if Application.compile_env(:paddy, :enforce_password_policy) do
    validate MyApp.Validations.PasswordAllowed, before_action?: true
  end
end

update :change_password do
  # Use this action to allow users to change their password by providing
  # their current password and a new password.

  require_atomic? false
  accept []
  argument :current_password, :string, sensitive?: true, allow_nil?: false

  argument :password, :string,
    sensitive?: true,
    allow_nil?: false,
    constraints: [min_length: 8]

  argument :password_confirmation, :string, sensitive?: true, allow_nil?: false

  validate confirm(:password, :password_confirmation)

  validate {AshAuthentication.Strategy.Password.PasswordValidation,
            strategy_name: :password, password_argument: :current_password}

  change {AshAuthentication.Strategy.Password.HashPasswordChange, strategy_name: :password}

  # validates that the password meets our password policy
  if Application.compile_env(:paddy, :enforce_password_policy) do
    validate MyApp.Validations.PasswordAllowed, before_action?: true
  end
end

** (Ash.Error.Unknown) 
Bread Crumbs:
  > action validation {AshAuthentication.Strategy.Password.PasswordValidation, [strategy_name: :password, password_argument: :current_password]}
  > building changeset for MyApp.Accounts.User.change_password

** (Ash.Error.Unknown) 
Bread Crumbs:
  > action validation {AshAuthentication.Strategy.Password.PasswordValidation, [strategy_name: :password, password_argument: :current_password]}
  > building changeset for MyApp.Accounts.User.change_password

For the LiveViews provided by AshAuthenticationPhoenix, the

AshAuthentication.Checks.AshAuthenticationInteraction

AshAuthentication.Checks.AshAuthenticationInteraction

SAKMWzE.ex1.68KB

Solution

Yes, you could set up a policy like that

Jump to solution

Ash Policies around :change_password action

Ash Policies around :change_password action

Similar Threads

Similar Threads

Similar Threads