bug: bypass policy fails on sign-in

[frankdugan3]

I am encountering an authorization issue with AshAuthentication on sign in. This is with all the latest ash 3.0-related rcs.

[error] GenServer #PID<0.3946.0> terminating
** (MatchError) no match of right hand side value: :error
    (ash_authentication 4.0.0-rc.6) lib/ash_authentication/strategies/password/sign_in_preparation.ex:132: AshAuthentication.Strategy.Password.SignInPreparation.generate_token/3
    (ash_authentication 4.0.0-rc.6) lib/ash_authentication/strategies/password/sign_in_preparation.ex:45: anonymous fn/3 in AshAuthentication.Strategy.Password.SignInPreparation.prepare/3
    (ash 3.0.0-rc.37) lib/ash/actions/read/read.ex:1689: anonymous fn/2 in Ash.Actions.Read.run_after_action/2
    (elixir 1.16.2) lib/enum.ex:4839: Enumerable.List.reduce/3
    (elixir 1.16.2) lib/enum.ex:2582: Enum.reduce_while/3
    (ash 3.0.0-rc.37) lib/ash/actions/read/read.ex:1687: Ash.Actions.Read.run_after_action/2
    (ash 3.0.0-rc.37) lib/ash/actions/read/read.ex:446: anonymous fn/5 in Ash.Actions.Read.do_read/4
    (ash 3.0.0-rc.37) lib/ash/process_helpers.ex:38: anonymous fn/4 in Ash.ProcessHelpers.async/2
    (elixir 1.16.2) lib/task/supervised.ex:101: Task.Supervised.invoke_mfa/2
    (elixir 1.16.2) lib/task/supervised.ex:36: Task.Supervised.reply/4
    (ash 3.0.0-rc.37) lib/ash/process_helpers.ex:32: Ash.ProcessHelpers.async/2
    (ash 3.0.0-rc.37) lib/ash/process_helpers.ex:66: Ash.ProcessHelpers.task_with_timeout/5
    (ash 3.0.0-rc.37) lib/ash/actions/read/read.ex:558: Ash.Actions.Read.maybe_in_transaction/3
    (ash 3.0.0-rc.37) lib/ash/actions/read/read.ex:241: Ash.Actions.Read.do_run/3
    (ash 3.0.0-rc.37) lib/ash/actions/read/read.ex:62: anonymous fn/3 in Ash.Actions.Read.run/3
    (ash 3.0.0-rc.37) lib/ash/actions/read/read.ex:61: Ash.Actions.Read.run/3
    (ash 3.0.0-rc.37) lib/ash.ex:1964: Ash.do_read_one/3
    (ash 3.0.0-rc.37) lib/ash.ex:1913: Ash.read_one/2
    (ash_phoenix 2.0.0-rc.7) lib/ash_phoenix/form/form.ex:1874: AshPhoenix.Form.with_changeset/2
    (ash_phoenix 2.0.0-rc.7) lib/ash_phoenix/form/form.ex:1726: AshPhoenix.Form.submit/2

The relevant DB/policy output is:

begin []
[debug] QUERY OK source="user_tokens" db=0.4ms
INSERT INTO "user_tokens" AS u0 ...
[debug] QUERY OK source="user_tokens" db=0.0ms
SELECT u0."user_id", u0."jti" FROM "user_tokens" AS u0 WHERE (u0."jti"::text = $1::text) ["2v5cr0hp139u7ftbak0024ga"]
[error] Hsm.Authentication.User.read

Policy Breakdown
  Policy | ⛔:
    condition: action.type == :read
    authorize if: id == {:_actor, :id} | ✘ | 🔎
    forbid unless: actor is active | ✘ | ⛔
    authorize if: actor is IT Admin, Human Resources, Executive | ? |
[debug] QUERY OK db=0.0ms
rollback []

I have the required bypass on both user and token resource:

policies do
  bypass AshAuthentication.Checks.AshAuthenticationInteraction do
    authorize_if always()
  end

If I add in the following on the user resource, it works:

policy action_type(:read) do
      authorize_if always()

I suspect what's happening is one of the token-related api calls isn't setting ash_authentication?: true in the context, and therefore not passing the bypass policy. I did a quick look through the code and did not spot that case, however.

I am using the following authentication block:

  authentication do
    strategies do
      password :password do
        identity_field :email
        registration_enabled? true
        sign_in_tokens_enabled? true

        resettable do
          sender Hsm.Authentication.Senders.SendPasswordResetEmail
        end
      end
    end

    tokens do
      enabled? true
      token_resource Hsm.Authentication.UserToken
      signing_secret Hsm.Authentication.Secrets
      store_all_tokens? true
      require_token_presence_for_authentication? true
    end
  end

[frankdugan3]

Nevermind, major PEBKAC on this one!