API with comeonin - plug or changeset?

I’m working on an app with a REST API and using Comeonin for authentication. I’m going to use either Guardian or Joken for JWT authentication, but logging in will require a password. In the Programming Phoenix book they implement authentication with a plug and update the session. But with a REST API you don’t have a session so I’m not sure of the best place to implement authentication. One tutorial simply hardcodes the calls to checkpw in the login method, but I don’t want to do that.

Option 1: Plug. I could create a Plug that checks the password, and setup a dedicated pipeline for logging in that uses that plug.

Option 2: Changesets. Create a changeset validation that calls checkpw. Then create a dedicated login_changeset pipeline with this changeset validation.

I’m a newbie to Elixir but one of the thing that appeals to me is that it is a “convention over configuration” framework but this is one area where I can’t figure out the best approach.

1 Like

A REST api should still have a session, cookies and all still exist and are still passed around.

I, as always, recommend putting things like login and password check functionality in a dedicated module that can be called via multiple areas as necessary. :slight_smile:

As for in that module, option 1 is what I do to handle initial login, but then I store the auth in the encrypted cookie that I can then access in later requests without needing to hit the DB. I hold valid sessions in the DB (with a cache in front, most will not need this) and just verify to that.

1 Like