Custom authentication logic, add "account disabled" to default sign-in page

Hi,

I’m very new to Ash (Authentication) and evaluating it for a client project, amazing work so far!

My project requires the ability to disable accounts, Ash Authentication does so much out of the box, which is godsent after implementing it myself, but I’m struggling a little to customise it and ensure it works correctly. I don’t need any SSO providers.

With my current understanding, the simplest place for this seems to be in user.ex as an additional policy that checks the User resource active boolean attribute, before the AshAuthenticationInteraction bypass.

policy action_type(:read) do
  authorize_if expr(active == true)
end

bypass AshAuthentication.Checks.AshAuthenticationInteraction do
  authorize_if always()
end

This seems to work as intended… However the sign-in page displays “invalid email or password” for disabled accounts.

  1. Is there a way to display a custom error/flash message (with policies, or other), or does this need a custom sign-in page implementation?
  2. Would a validate or prepare in the sign_in_with_password action work better?
  3. In the case of wanting an audit trail for this or something similar, is there a way to retrieve the last resource of a one-to-many relation in an action (such as sign-in) and check an attribute (one user ↔ many disable change event)?

Thank you in advance!
Marcus