chore(AshAuthenticationPhoenix): added library and updated ressources testing password strategy

2025-06-03 08:39:28 +02:00 · 2025-06-03 08:39:28 +02:00 · 944ab37b22
commit 944ab37b22
parent 7e1c1a4379
24 changed files with 683 additions and 26 deletions
--- a/lib/accounts/accounts.ex
+++ b/lib/accounts/accounts.ex
@ -4,10 +4,12 @@ defmodule Mv.Accounts do

  resources do
    resource Mv.Accounts.User do
-      define(:create_user, action: :create)
-      define(:list_users, action: :read)
-      define(:update_user, action: :update)
-      define(:destroy_user, action: :destroy)
+      define :create_user, action: :create
+      define :list_users, action: :read
+      define :update_user, action: :update
+      define :destroy_user, action: :destroy
    end
+
+    resource Mv.Accounts.Token
  end
 end
--- a/lib/accounts/token.ex
+++ b/lib/accounts/token.ex
@ -0,0 +1,11 @@
+defmodule Mv.Accounts.Token do
+  use Ash.Resource,
+    data_layer: AshPostgres.DataLayer,
+    extensions: [AshAuthentication.TokenResource],
+    domain: Mv.Accounts
+
+  postgres do
+    table "tokens"
+    repo Mv.Repo
+  end
+end
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@ -1,26 +1,78 @@
 defmodule Mv.Accounts.User do
  use Ash.Resource,
    domain: Mv.Accounts,
-    data_layer: AshPostgres.DataLayer
+    data_layer: AshPostgres.DataLayer,
+    extensions: [AshAuthentication]
+
+  # authorizers: [Ash.Policy.Authorizer]

  postgres do
-    table("users")
-    repo(Mv.Repo)
+    table "users"
+    repo Mv.Repo
  end

-  attributes do
-    uuid_primary_key(:id)
+  authentication do
+    tokens do
+      enabled? true
+      token_resource Mv.Accounts.Token
+      signing_secret fn _, _ ->
+        {:ok, Application.get_env(:mv, :token_signing_secret)}
+      end
+    end

-    attribute(:email, :string, allow_nil?: true, public?: true)
-    attribute(:password_hash, :string, sensitive?: true)
-    attribute(:oicd_id, :string)
+    strategies do
+      password :password do
+        identity_field :email
+        hash_provider AshAuthentication.BcryptProvider
+        confirmation_required? false
+      end
+    end
  end

  actions do
-    defaults([:read, :destroy, :create, :update])
+    defaults [:read, :create, :destroy, :update]
+
+    read :get_by_subject do
+      description "Get a user by the subject claim in a JWT"
+      argument :subject, :string, allow_nil?: false
+      get? true
+      prepare AshAuthentication.Preparations.FilterBySubject
+    end
+
+    # read :sign_in_with_example do
+    #   argument :user_info, :map, allow_nil?: false
+    #   argument :oauth_tokens, :map, allow_nil?: false
+    #   prepare AshAuthentication.Strategy.OAuth2.SignInPreparation
+
+    #   filter expr(email == get_path(^arg(:user_info), [:email]))
+    # end
+  end
+
+  attributes do
+    uuid_primary_key :id
+
+    attribute :email, :ci_string, allow_nil?: false, public?: true
+    attribute :hashed_password, :string, sensitive?: true, allow_nil?: true
+    attribute :oicd_id, :string, allow_nil?: true
  end

  relationships do
-    belongs_to(:member, Mv.Membership.Member)
+    belongs_to :member, Mv.Membership.Member
  end
+
+  identities do
+    identity :unique_email, [:email]
+  end
+
+  # You can customize this if you wish, but this is a safe default that
+  # only allows user data to be interacted with via AshAuthentication.
+  # policies do
+  #   bypass AshAuthentication.Checks.AshAuthenticationInteraction do
+  #     authorize_if(always())
+  #   end
+
+  #   policy always() do
+  #     forbid_if(always())
+  #   end
+  # end
 end
--- a/lib/mv/accounts/user/senders/send_new_user_confirmation_email.ex
+++ b/lib/mv/accounts/user/senders/send_new_user_confirmation_email.ex
@ -0,0 +1,32 @@
+defmodule Mv.Accounts.User.Senders.SendNewUserConfirmationEmail do
+  @moduledoc """
+  Sends an email for a new user to confirm their email address.
+  """
+
+  use AshAuthentication.Sender
+  use MvWeb, :verified_routes
+
+  import Swoosh.Email
+
+  alias Mv.Mailer
+
+  @impl true
+  def send(user, token, _) do
+    new()
+    # TODO: Replace with your email
+    |> from({"noreply", "noreply@example.com"})
+    |> to(to_string(user.email))
+    |> subject("Confirm your email address")
+    |> html_body(body(token: token))
+    |> Mailer.deliver!()
+  end
+
+  defp body(params) do
+    url = url(~p"/confirm_new_user/#{params[:token]}")
+
+    """
+    <p>Click this link to confirm your email:</p>
+    <p><a href="#{url}">#{url}</a></p>
+    """
+  end
+end
--- a/lib/mv/accounts/user/senders/send_password_reset_email.ex
+++ b/lib/mv/accounts/user/senders/send_password_reset_email.ex
@ -0,0 +1,32 @@
+defmodule Mv.Accounts.User.Senders.SendPasswordResetEmail do
+  @moduledoc """
+  Sends a password reset email
+  """
+
+  use AshAuthentication.Sender
+  use MvWeb, :verified_routes
+
+  import Swoosh.Email
+
+  alias Mv.Mailer
+
+  @impl true
+  def send(user, token, _) do
+    new()
+    # TODO: Replace with your email
+    |> from({"noreply", "noreply@example.com"})
+    |> to(to_string(user.email))
+    |> subject("Reset your password")
+    |> html_body(body(token: token))
+    |> Mailer.deliver!()
+  end
+
+  defp body(params) do
+    url = url(~p"/password-reset/#{params[:token]}")
+
+    """
+    <p>Click this link to reset your password:</p>
+    <p><a href="#{url}">#{url}</a></p>
+    """
+  end
+end
--- a/lib/mv/application.ex
+++ b/lib/mv/application.ex
@ -14,6 +14,7 @@ defmodule Mv.Application do
      {Phoenix.PubSub, name: Mv.PubSub},
      # Start the Finch HTTP client for sending emails
      {Finch, name: Mv.Finch},
+      {AshAuthentication.Supervisor, otp_app: :my},
      # Start a worker by calling: Mv.Worker.start_link(arg)
      # {Mv.Worker, arg},
      # Start to serve requests, typically the last entry
--- a/lib/mv/repo.ex
+++ b/lib/mv/repo.ex
@ -5,7 +5,7 @@ defmodule Mv.Repo do
  @impl true
  def installed_extensions do
    # Add extensions here, and the migration generator will install them.
-    ["ash-functions"]
+    ["ash-functions", "citext"]
  end

  # Don't open unnecessary transactions
--- a/lib/mv_web/auth_overrides.ex
+++ b/lib/mv_web/auth_overrides.ex
@ -0,0 +1,20 @@
+defmodule MvWeb.AuthOverrides do
+  use AshAuthentication.Phoenix.Overrides
+
+  # configure your UI overrides here
+
+  # First argument to `override` is the component name you are overriding.
+  # The body contains any number of configurations you wish to override
+  # Below are some examples
+
+  # For a complete reference, see https://hexdocs.pm/ash_authentication_phoenix/ui-overrides.html
+
+  # override AshAuthentication.Phoenix.Components.Banner do
+  #   set :image_url, "https://media.giphy.com/media/g7GKcSzwQfugw/giphy.gif"
+  #   set :text_class, "bg-red-500"
+  # end
+
+  # override AshAuthentication.Phoenix.Components.SignIn do
+  #  set :show_banner, false
+  # end
+end
--- a/lib/mv_web/controllers/auth_controller.ex
+++ b/lib/mv_web/controllers/auth_controller.ex
@ -0,0 +1,55 @@
+defmodule MvWeb.AuthController do
+  use MvWeb, :controller
+  use AshAuthentication.Phoenix.Controller
+
+  def success(conn, activity, user, _token) do
+    return_to = get_session(conn, :return_to) || ~p"/"
+
+    message =
+      case activity do
+        {:confirm_new_user, :confirm} -> "Your email address has now been confirmed"
+        {:password, :reset} -> "Your password has successfully been reset"
+        _ -> "You are now signed in"
+      end
+
+    conn
+    |> delete_session(:return_to)
+    |> store_in_session(user)
+    # If your resource has a different name, update the assign name here (i.e :current_admin)
+    |> assign(:current_user, user)
+    |> put_flash(:info, message)
+    |> redirect(to: return_to)
+  end
+
+  def failure(conn, activity, reason) do
+    message =
+      case {activity, reason} do
+        {_,
+         %AshAuthentication.Errors.AuthenticationFailed{
+           caused_by: %Ash.Error.Forbidden{
+             errors: [%AshAuthentication.Errors.CannotConfirmUnconfirmedUser{}]
+           }
+         }} ->
+          """
+          You have already signed in another way, but have not confirmed your account.
+          You can confirm your account using the link we sent to you, or by resetting your password.
+          """
+
+        _ ->
+          "Incorrect email or password"
+      end
+
+    conn
+    |> put_flash(:error, message)
+    |> redirect(to: ~p"/sign-in")
+  end
+
+  def sign_out(conn, _params) do
+    return_to = get_session(conn, :return_to) || ~p"/"
+
+    conn
+    |> clear_session()
+    |> put_flash(:info, "You are now signed out")
+    |> redirect(to: return_to)
+  end
+end
--- a/lib/mv_web/live_user_auth.ex
+++ b/lib/mv_web/live_user_auth.ex
@ -0,0 +1,44 @@
+defmodule MvWeb.LiveUserAuth do
+  @moduledoc """
+  Helpers for authenticating users in LiveViews.
+  """
+
+  import Phoenix.Component
+  use MvWeb, :verified_routes
+
+  # This is used for nested liveviews to fetch the current user.
+  # To use, place the following at the top of that liveview:
+  # on_mount {MvWeb.LiveUserAuth, :current_user}
+  def on_mount(:current_user, _params, session, socket) do
+    return_to = session[:return_to]
+    socket =
+      socket
+      |> assign(:return_to, return_to)
+      |> AshAuthentication.Phoenix.LiveSession.assign_new_resources(session)
+    {:cont, session, socket}
+  end
+
+  def on_mount(:live_user_optional, _params, _session, socket) do
+    if socket.assigns[:current_user] do
+      {:cont, socket}
+    else
+      {:cont, assign(socket, :current_user, nil)}
+    end
+  end
+
+  def on_mount(:live_user_required, _params, _session, socket) do
+    if socket.assigns[:current_user] do
+      {:cont, socket}
+    else
+      {:halt, Phoenix.LiveView.redirect(socket, to: ~p"/sign-in")}
+    end
+  end
+
+  def on_mount(:live_no_user, _params, _session, socket) do
+    if socket.assigns[:current_user] do
+      {:halt, Phoenix.LiveView.redirect(socket, to: ~p"/")}
+    else
+      {:cont, assign(socket, :current_user, nil)}
+    end
+  end
+end
--- a/lib/mv_web/member_live/index.ex
+++ b/lib/mv_web/member_live/index.ex
@ -1,6 +1,8 @@
 defmodule MvWeb.MemberLive.Index do
  use MvWeb, :live_view

+  on_mount {MvWeb.LiveUserAuth, :live_user_required}
+
  @impl true
  def render(assigns) do
    ~H"""
--- a/lib/mv_web/router.ex
+++ b/lib/mv_web/router.ex
@ -1,6 +1,10 @@
 defmodule MvWeb.Router do
  use MvWeb, :router

+  use AshAuthentication.Phoenix.Router
+
+  import AshAuthentication.Plug.Helpers
+
  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
@ -8,21 +12,45 @@ defmodule MvWeb.Router do
    plug :put_root_layout, html: {MvWeb.Layouts, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
+    plug :load_from_session
  end

  pipeline :api do
    plug :accepts, ["json"]
+    plug :load_from_bearer
+    plug :set_actor, :user
+  end
+
+  scope "/", MvWeb do
+    pipe_through :browser
+
+    ash_authentication_live_session :authenticated_routes do
+      # in each liveview, add one of the following at the top of the module:
+      #
+      # If an authenticated user must be present:
+      # on_mount {MvWeb.LiveUserAuth, :live_user_required}
+      #
+      # If an authenticated user *may* be present:
+      # on_mount {MvWeb.LiveUserAuth, :live_user_optional}
+      #
+      # If an authenticated user must *not* be present:
+      # on_mount {MvWeb.LiveUserAuth, :live_no_user}
+    end
  end

  scope "/", MvWeb do
    pipe_through :browser

    get "/", PageController, :home
-    live "/members", MemberLive.Index, :index
-    live "/members/new", MemberLive.Index, :new
-    live "/members/:id/edit", MemberLive.Index, :edit
-    live "/members/:id", MemberLive.Show, :show
-    live "/members/:id/show/edit", MemberLive.Show, :edit
+
+    ash_authentication_live_session :session_name do
+      live "/members", MemberLive.Index, :index
+      live "/members/new", MemberLive.Index, :new
+      live "/members/:id/edit", MemberLive.Index, :edit
+      live "/members/:id", MemberLive.Show, :show
+      live "/members/:id/show/edit", MemberLive.Show, :edit
+    end
+

    live "/property_types", PropertyTypeLive.Index, :index
    live "/property_types/new", PropertyTypeLive.Index, :new
@ -35,6 +63,30 @@ defmodule MvWeb.Router do
    live "/properties/:id/edit", PropertyLive.Index, :edit
    live "/properties/:id", PropertyLive.Show, :show
    live "/properties/:id/show/edit", PropertyLive.Show, :edit
+    auth_routes AuthController, Mv.Accounts.User, path: "/auth"
+    sign_out_route AuthController
+
+    # Remove these if you'd like to use your own authentication views
+    sign_in_route register_path: "/register",
+                  reset_path: "/reset",
+                  auth_routes_prefix: "/auth",
+                  on_mount: [{MvWeb.LiveUserAuth, :live_no_user}],
+                  overrides: [MvWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default]
+
+    # Remove this if you do not want to use the reset password feature
+    reset_route auth_routes_prefix: "/auth",
+                overrides: [MvWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default]
+
+    # Remove this if you do not use the confirmation strategy
+    confirm_route Mv.Accounts.User, :confirm_new_user,
+      auth_routes_prefix: "/auth",
+      overrides: [MvWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default]
+
+    # Remove this if you do not use the magic link strategy.
+    # magic_sign_in_route(Mv.Accounts.User, :magic_link,
+    #   auth_routes_prefix: "/auth",
+    #   overrides: [MvWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default]
+    # )
  end

  # Other scopes may use custom stacks.