There are 2 steps for authentication in my application.
- When a user logged in with OAuth2(OIDC)
defmodule MyApp.AuthController do
...
def oauth2_callback(conn, %{"code" => code}) do
with {:ok, %{id_token: id_token}} <- OAuth2.get_id_token(code),
{:ok, %{key: provider_key}} <- OAuth2.verify_id_token(id_token),
{:ok, user} <- Accounts.sign_in(%{provider_key: provider_key}) do
conn
|> put_session(:user_id, user.id)
|> redirect(to: ~p"/")
end
end
end
- Authentication with LiveView Hook (No authentication with plug)
defmodule MyAppWeb.AuthHook do
...
def on_mount(:default, _params, %{"user_id" => user_id}, socket) do
socket =
socket
|> assign_new(:current_user, fn -> Accounts.get_user(user_id) end
{:cont, socket}
end
end
in router
scope "/", MyAppWeb do
...
live_session, :user, on_mount: [MyAppWeb.AuthHook] do
...
end
end
Does not performing authentication in a plug and directly using the user_id stored in the session in a LiveView hook have the potential to cause a situation where a user can be logged in as another user?