View Source Get Started with AshCloak
Installation
Add ash_cloak
to your list of dependencies in mix.exs
:
{:ash_cloak, "~> 0.1.2"}
Follow the cloak getting started guide to add cloak
as a dependency, as AshCloak does not add a vault implementation for you. Note that you do not need cloak_ecto
because your Ash data layer will take care of this.
Alternatively you could use your own vault module that implements encrypt!
and decrypt!
, but we recommend using Cloak
to achieve that goal. See the cloak vault guide
Add the AshCloak
extension to your resource
defmodule User do
use Ash.Resource, extensions: [AshCloak]
cloak do
# the vault to use to encrypt them
vault MyApp.Vault
# the attributes to encrypt
attributes [:address, :phone_number]
# This is just equivalent to always providing `load: fields` on all calls
decrypt_by_default [:address]
# An MFA or function to be invoked beforce any decryption
on_decrypt fn records, field, context ->
# Ash has policies that allow forbidding certain users to load data.
# You should generally use those for authorization rules, and
# only use this callback for auditing/logging.
Audit.user_accessed_encrypted_field(records, field, context)
if context.user.name == "marty" do
{:error, "No martys at the party!"}
else
:ok
end
end
end
end