feat: final implementation hopefully we can put this to rest

Abdessabour Moutik · Abdessabour Moutik · commit 99a0262b3abd · 2025-09-24T22:32:29.000+02:00
diff --git a/lib/ash_authentication_phoenix/controller.ex b/lib/ash_authentication_phoenix/controller.ex
@@ -15,10 +15,11 @@ defmodule AshAuthentication.Phoenix.Controller do
     use MyAppWeb, :controller
     use AshAuthentication.Phoenix.Controller
 
-    def success(conn, _activity, user, _token) do
+    def success(conn, _activity, user, token) do
       conn
       |> store_in_session(user)
       |> assign(:current_user, user)
+      |> set_live_socket_id(token)
       |> redirect(to: Routes.page_path(conn, :index))
     end
 
@@ -78,6 +79,9 @@ defmodule AshAuthentication.Phoenix.Controller do
 
   alias AshAuthentication.Plug.Dispatcher
   alias AshAuthentication.Plug.Helpers
+
+  alias AshAuthentication.TokenResource.Info
+  alias AshAuthentication.Jwt
   alias Plug.Conn
 
   @type t :: module
@@ -227,4 +231,24 @@ defmodule AshAuthentication.Phoenix.Controller do
     |> Helpers.revoke_session_tokens(otp_app)
     |> Plug.Conn.clear_session()
   end
+
+  @doc """
+  Set the live socket id so we can send disconnects from the server when the token is revoked.
+
+  This ensures that the user can't use the application with revoked tokens.
+  """
+  def set_live_socket_id(conn, token) do
+    with {:ok, claims} <- Jwt.peek(token),
+         otp_app <- conn.private.phoenix_endpoint.config(:otp_app),
+         {:ok, resource} <- Jwt.token_to_resource(token, otp_app),
+         {:ok, token_resource} <-
+           AshAuthentication.Info.authentication_tokens_token_resource(resource),
+         {:ok, template_fn} <-
+           Info.token_live_socket_id_template(token_resource) do
+      conn
+      |> Plug.Conn.put_session(:live_socket_id, template_fn.(claims))
+    else
+      _ -> conn
+    end
+  end
 end
diff --git a/lib/ash_authentication_phoenix/token_revocation_notifier.ex b/lib/ash_authentication_phoenix/token_revocation_notifier.ex
@@ -0,0 +1,21 @@
+defmodule AshAuthentication.Phoenix.TokenRevocationNotifier do
+  use Ash.Notifier
+  alias AshAuthentication.TokenResource.Info
+  require Logger
+
+  def notify(%Ash.Notifier.Notification{
+        data: %{subject: "user"}
+      }),
+      do: :ok
+
+  def notify(%Ash.Notifier.Notification{
+        data: data,
+        resource: token_resource
+      }) do
+    with {:ok, template_fn} <- Info.token_live_socket_id_template(token_resource),
+         socket_id <- template_fn.(data),
+         {:ok, endpoints} when endpoints != [] <- Info.token_endpoints(token_resource) do
+      endpoints |> Enum.each(&apply(&1, :broadcast, [socket_id, "disconnect", %{}]))
+    end
+  end
+end
diff --git a/lib/mix/tasks/ash_authentication_phoenix.install.ex b/lib/mix/tasks/ash_authentication_phoenix.install.ex
@@ -95,17 +95,7 @@ if Code.ensure_loaded?(Igniter) do
           "Which Phoenix router should be modified to allow authentication?"
         )
 
-      with {igniter, router}
-           when not is_nil(router) <-
-             Igniter.Libs.Phoenix.select_router(
-               igniter,
-               "Which Phoenix router should be modified to allow authentication?"
-             ),
-           {igniter, [endpoint | _]} <-
-             Igniter.Libs.Phoenix.endpoints_for_router(
-               igniter,
-               router
-             ) do
+      if router do
         web_module = Igniter.Libs.Phoenix.web_module(igniter)
         overrides = Igniter.Libs.Phoenix.web_module_name(igniter, "AuthOverrides")
         otp_app = Igniter.Project.Application.app_name(igniter)
@@ -116,26 +106,17 @@ if Code.ensure_loaded?(Igniter) do
         |> setup_routes_alias()
         |> warn_on_missing_modules(options, argv, install?)
         |> do_or_explain_tailwind_changes()
-        |> create_auth_controller(otp_app, endpoint)
+        |> create_auth_controller(otp_app)
         |> create_overrides_module(overrides)
         |> add_auth_routes(overrides, options, router, web_module)
         |> create_live_user_auth(web_module)
       else
-        {igniter, nil} ->
-          igniter
-          |> Igniter.add_warning("""
-          AshAuthenticationPhoenix installer could not find a Phoenix router. Skipping installation.
-
-          Set up a phoenix router and reinvoke the installer with `mix igniter.install ash_authentication_phoenix`.
-          """)
-
-        {igniter, []} ->
-          igniter
-          |> Igniter.add_warning("""
-          AshAuthenticationPhoenix installer could not find any Phoenix endpoints attached to the router you selected. Skipping installation.
+        igniter
+        |> Igniter.add_warning("""
+        AshAuthenticationPhoenix installer could not find a Phoenix router. Skipping installation.
 
-          Set up a phoenix endpoint and reinvoke the installer with `mix igniter.install ash_authentication_phoenix`.
-          """)
+        Set up a phoenix router and reinvoke the installer with `mix igniter.install ash_authentication_phoenix`.
+        """)
       end
     end
 
@@ -345,7 +326,7 @@ if Code.ensure_loaded?(Igniter) do
       )
     end
 
-    defp create_auth_controller(igniter, otp_app, endpoint) do
+    defp create_auth_controller(igniter, otp_app) do
       Igniter.Project.Module.create_module(
         igniter,
         Igniter.Libs.Phoenix.web_module_name(igniter, "AuthController"),
@@ -363,12 +344,10 @@ if Code.ensure_loaded?(Igniter) do
               _ -> "You are now signed in"
             end
 
-          {:ok, %{"jti" => jti}} = AshAuthentication.Jwt.peek(token)
-
           conn
           |> delete_session(:return_to)
           |> store_in_session(user)
-          |> put_session(:live_socket_id, "users_socket:\#{jti}")
+          |> set_live_socket_id(token)
           # If your resource has a different name, update the assign name here (i.e :current_admin)
           |> assign(:current_user, user)
           |> put_flash(:info, message)
@@ -401,14 +380,10 @@ if Code.ensure_loaded?(Igniter) do
         def sign_out(conn, _params) do
           return_to = get_session(conn, :return_to) || ~p"/"
 
-          live_socket_id =
-            get_session(conn, :live_socket_id)
-
           conn
           |> clear_session(:#{otp_app})
           |> put_flash(:info, "You are now signed out")
           |> redirect(to: return_to)
-          |> tap(fn _ -> #{inspect(endpoint)}.broadcast(live_socket_id, "disconnect", %{}) end)
         end
         """
       )
