defmodule Putzplan.Accounts.User do use Ash.Resource, otp_app: :putzplan, domain: Putzplan.Accounts, authorizers: [Ash.Policy.Authorizer], extensions: [AshAuthentication], data_layer: AshSqlite.DataLayer authentication do add_ons do log_out_everywhere do apply_on_password_change? true end end tokens do enabled? true token_resource Putzplan.Accounts.Token signing_secret Putzplan.Secrets store_all_tokens? true require_token_presence_for_authentication? true end strategies do oidc :oidc do client_id "putzplan" base_url "http://127.0.0.1:9091" client_secret "insecure_secret" nonce true redirect_uri "http://127.0.0.1:4000/auth" authorization_params [scope: "profile email"] end end end identities do identity :id, [:id] end sqlite do table "users" repo Putzplan.Repo end actions do defaults [:read] read :get_by_subject do description "Get a user by the subject claim in a JWT" argument :subject, :string, allow_nil?: false get? true prepare AshAuthentication.Preparations.FilterBySubject end create :register_with_oidc do argument :user_info, :map, allow_nil?: false argument :oauth_tokens, :map, allow_nil?: false upsert? true upsert_identity :id change AshAuthentication.GenerateTokenChange change fn changeset, _ctx -> user_info = Ash.Changeset.get_argument(changeset, :user_info) dbg(user_info) changeset |> Ash.Changeset.change_attribute(:name, user_info["name"]) |> Ash.Changeset.change_attribute(:id, user_info["sub"]) end end end policies do bypass AshAuthentication.Checks.AshAuthenticationInteraction do authorize_if always() end policy always() do forbid_if always() end end attributes do attribute :id, :uuid, allow_nil?: false, primary_key?: true attribute :name, :string, allow_nil?: false end end