View Source AshAuthentication.TokenResource (ash_authentication v4.0.0)

This is an Ash resource extension which generates the default token resource.

The token resource is used to store information about tokens that should not be shared with the end user. It does not actually contain any tokens.

For example:

  • When an authentication token has been revoked
  • When a confirmation token has changes to apply

Storage

The information stored in this resource is essentially ephemeral - all tokens have an expiry date, so it doesn't make sense to keep them after that time has passed. However, if you have any tokens with very long expiry times then we suggest you store this resource in a resilient data-layer such as Postgres.

Usage

There is no need to define any attributes or actions (although you can if you want). The extension will wire up everything that's needed for the token system to function.

defmodule MyApp.Accounts.Token do
  use Ash.Resource,
    data_layer: AshPostgres.DataLayer,
    extensions: [AshAuthentication.TokenResource],
    domain: MyApp.Accounts

  postgres do
    table "tokens"
    repo MyApp.Repo
  end
end

Whilst it is possible to have multiple token resources, there is no need to do so.

Removing expired records

Once a token has expired there's no point in keeping the information it refers to, so expired tokens can be automatically removed by adding the AshAuthentication.Supervisor to your application supervision tree. This will start the AshAuthentication.TokenResource.Expunger GenServer which periodically scans and removes any expired records.

Summary

Functions

Link to this function

expunge_expired(resource, opts \\ [])

View Source
@spec expunge_expired(
  Ash.Resource.t(),
  keyword()
) :: :ok | {:error, any()}

Remove all expired records.

Link to this function

jti_revoked?(resource, jti, opts \\ [])

View Source
@spec jti_revoked?(Ash.Resource.t(), String.t(), keyword()) :: boolean()

Has the token been revoked?

Similar to token-revoked?/2..3 except that rather than extracting the JTI from the token, assumes that it's being passed in directly.

Link to this function

revoke(resource, token, opts \\ [])

View Source
@spec revoke(Ash.Resource.t(), String.t(), keyword()) :: :ok | {:error, any()}

Revoke a token.

Extracts the JTI from the provided token and uses it to generate a revocation record.

Link to this function

token_revoked?(resource, token, opts \\ [])

View Source
@spec token_revoked?(Ash.Resource.t(), String.t(), keyword()) :: boolean()

Has the token been revoked?

Similar to jti_revoked?/2..3 except that it extracts the JTI from the token, rather than relying on it to be passed in.