Ash Weekly: Issue #5
Fun with Nested Forms, "Log Out Everywhere", a (mild) CVE, and a CodeBeam US Training Discount!
Ash Weekly!
This is a super quick, informal update about the goings on in and around Ash Framework each week. If you find something interesting and think it should make it on this newsletter, drop a message in the #ash-weekly channel in our Discord server.
Shameless Plugs
Check out Ash Premium Support from Alembic.
Sponsor me if you like what I do.
CodeBeam US Training | 30% Discount!
We have a training coming up at CodeBeam US! Catch us on March 5th for Supercharge Your Elixir Apps with Ash! It’s a great training, fun for us and for attendees. It is great for folks new to Ash as well as those with lots of experience.
We’ve got a special offer available for subscribers to Ash Weekly and members of the discord server for 30% off 🥳!
I’ll also be giving a talk on Igniter, so drop by for the training and the conference to hear the latest updates on the project!
Check out this interview with Eileen Noonan about her experience with the training!
Fun with Nested Forms
The latest chapter of the Ash Book! is out! In this chapter we break down how to deal with nested forms, in addition to all sorts of goodies when dealing with related data in general. See how we build this editable track list for albums!
Log Out Everywhere
We’ve introduced a new add-on called `log_out_everywhere` which provides an action for revoking all current sessions for users. This also comes with an option to do this behavior automatically on password change. There was nothing preventing users from building this sort of logic into their own password reset flows, but we realized that folks were expecting this to be happening automatically as its something that happens out of the box with `phx.gen.auth`. The generators have been modified to apply this add on automatically, and we encourage users to apply it as well.
AshAuthentication Generators Issue
When upgrading AshAuthentication, you may notice an error that requires manual resolution when upgrading AshAuthentication, if you used the generators. While frustrating, this is actually a great example of why we believe it’s good to have your auth solution as a *mix* of generated code and library code. We can detect bad states in the code that was generated, either because we made a mistake or because you did, and warn you about them. Some of these things can be fixed automatically, but others require manual intervention. But at least you can find out about them with a simple upgrade 🎉
AshAuthentication Token Revocation CVE
Speaking of issues w/ generators, due to the way we were generating the token revocation action, certain tokens that were meant to not be reusable were, in fact, reusable. This only affects you if you’ve installed AshAuthentication using the new generators. The tokens would still properly expire after their intended duration. For magic link that default is 10 minutes, and for password reset that default is 3 days, so this is not a *severe* issue, but we take security issues very seriously and will always file CVEs whenever it is the appropriate thing to do.
For more information, see the advisory.
Catch Josh’s CodeBEAM webinar
Josh dives into what the future of Ash an GenAI could look like!
Releases
Ash: 3.4.63
Improvements
Add `string_position/2` expression, used to power a soon-to-be-released AshAdmin improvement!
Add `dimensions` constraint to built in vector type. Wonder what that’s about…🤖
Add `reuse_values?` option for `Ash.calculate` to allow using data on the passed in record instead of making a database query (defaults to off)
Add `reuse_values?` option to `Ash.can` for the exact same reason
Prefer to call `calculate/3` when a calculation defines `calculate/3` and `expression/2`, and `reuse_values?` is `true`.
add `Ash.Type.coerce/2` callback to `Ash.Type`, which can be used as a more “insistent” `cast_input/2` for
Verify that pubsub action names actually exist and are valid at compile time.
Add `filter` and `transform` options to the builtin pubsub notifier.
Fixes
Set `read_after_writes` to `true` in the underlying Ecto schema for all generated attributes, helps when using an Ash.Resource as an Ecto schema.
Various fixes for the builtin `:vector` type. Wonder what that’s about…🤖
Fix pins in string interpolation on expression. This fixes syntax like: `expr(“Hello: #{^arg(:name)}”)`
Fix a case where calling bulk create with `[]` would not return a stream when `return_stream?: true` is given.
Fix a case where using the raising variant of bulk actions wouldn’t fail if status was `:partial_success`.
Don’t try to use `authorize_with: :error` automatically for data layers that can’t do it. (AshSqlite, AshMysql)
Properly pass tenant down to cascade destroy and cascade update changes.
fix for `mix ash.extend` when the resource uses a base resource.
Fix case where we were not handling generic actions returning notifications
Fix internal pattern match error on `:struct` type with `:fields` constraint.
Fix a case where the `authorize?` option was not passed to the action in `Ash.Generator.generate_many`
Reactor: 0.13.0-0.13.1
Improvements
Radically simplify reactor composition by doing it all at runtime. Thanks to internal refactors, there is effectively zero benefit to compile time composition work.
Igniter: 0.5.22-0.5.24
Improvements
Use project’s `config_path` from `mix.exs` when editing config, allowing better support for umbrella apps and other projects just in general.
Support non-literal lists in deps, via a configurable strategy. If your deps can’t be edited, you will be prompted to address it by configuring a deps_finder.
Better UX around large diffs, where we just display file changes and let the user tell us how to proceed.
Fixes
Better behavior when calling `configure_runtime_env/6`, to overwrite the configured value with the new value by default (like all the other config functions do)
Properly split `—with-args` in `mix igniter.new`
Ensure that the installer starts any apps `igniter` uses
Don’t duplicate `Web` when determining the web module for an app that already ends in `Web`. i.e not `MyAppWebWeb`.
AshGraphql 1.6.0
Improvements
Custom complexity callbacks for types and queries
Fixes
Handle pattern match error for actions with no return
AshJsonApi 1.4.19
Improvements
Add calculation inputs to the OpenAPI filter specification
Include source pointer when debug logging errors
Fixes
Use debug log for errors by default, not `info`
Ensure that update actions don’t require all inputs (i.e honor standard PATCH rules for JSON:API)
Properly apply the destination resource’s `default_fields` to included data
AshAuthentication 4.5.0-4.5.1
Improvements
Add a `log_out_everywhere` add-on
Fixes
Ensure that the token resource has only `:jti`
Ensure that the installer generated token revocation action is correct.
AshPostgres 2.5.2-2.5.3
Improvements
Add `vector_l2_distance/2` function
Use the `dimensions` constraint as the size when generating migrations for vectors. Wonder what that’s about…🤖
Support concurrently generating index migrations
Fixes
Properly handle dropping fields that are part of a composite primary key. When this happens, the primary key itself is implicitly dropped from the resource, and must be recreated.
Ignore module conflicts when running migrations for tenants when using context multi tenancy. This avoids a bunch of unnecessary warnings.
Fix lateral join logic to properly apply aggregates and joins referenced from `parent/1` expressions on the first relationship in the relationship path of the aggregate
Fix CLI args for migrate and rollback tasks to match their underlying Ecto counterpart
Consider `identity.where` when determining if identities have changed and need migrations generated for them.
AshSql 0.2.54-0.2.56
Improvements
Support the new `string_position` function.
Fixes
Fix lateral join logic to properly apply aggregates and joins referenced from `parent/1` expressions on the first relationship in the relationship path of the aggregate
Fix the behavior of `start_of_day/2` expression WRT the database’s timezone
AshArchival 1.1.1
Fixes
Pass tenant to `load` in `archive_related`
Set the relationship’s context on bulk destroy
AshCloak 1.1.1
Fixes
Fix a bad return value when nothing is changing during encryption
AshOban 0.3.2
Improvements
Import `:ash_oban` in `.formatter.exs`
AshPaperTrail 0.5.1
Fixes
Ensure bulk create raises any errors that occur while bulk creating versions
AshPhoenix 2.1.18
Fixes
Fix a type spec for `page_link_params`