search

team-alembic / ash_authentication

The Ash Authentication framework
MIT License
95 stars 50 forks source link

Generated token for user confirmation is invalid - `act` does not match purpose stored in database #827

Open sevenseacat opened 12 hours ago

sevenseacat commented 12 hours ago

I'm testing setting up a password reset flow and I'm getting an error when clicking the "Confirm your email address" link in the generated email - with a flash message "incorrect email or password".

The generated token is valid, and verifies as:

iex(1)> token = "eyJhbGciOiJI..."
"eyJhbGciOiJI..."
iex(2)> AshAuthentication.Jwt.verify(token, :tunez)
{:ok,
 %{
   "act" => "confirm",
   "aud" => "~> 4.3",
   "exp" => 1731058258,
   "iat" => 1730799058,
   "iss" => "AshAuthentication v4.3.0",
   "jti" => "302gh4m3f5abj44lq4002sf3",
   "nbf" => 1730799058,
   "sub" => "user?id=c356c3af-3173-4962-a54a-d8f4a8af9f11"
 }, Tunez.Accounts.User}

The jti and sub match what I see in the database for the token.

This token has "act": "confirm" though, when in the database the purpose is "confirm_new_user".

Side note: This token, and password reset, both use the act key to store their purpose, but the sign in tokens use purpose - might also be important?

sevenseacat commented 12 hours ago

Does the confirm_new_user in the database come from the config in the resource?

Default config from ash_authentication.add_strategy password:

      confirmation :confirm_new_user do
        monitor_fields([:email])
        confirm_on_create?(true)
        confirm_on_update?(false)
        sender(Tunez.Accounts.User.Senders.SendNewUserConfirmationEmail)
      end

I can't find anywhere it comes from the AA codebase...