Blog Post: Phoenix auth in 2024: password and provider based auth with phx.gen.auth

marcin · April 12, 2024, 9:52pm

Hi!
I wanted to refresh my knowledge on how to mix phx.gen.auth with local password users db, as well as OAuth providers such as Github, and wrote a guide on this in the end.
Hope it helps in some confusion around the topic I have seen on Elixir Forum!

hellosmithy · April 13, 2024, 7:54am

Thanks for sharing. This is handy - I’m new to Elixir/Phoenix and was a little bewildered by the choice of auth libraries. For now I’ve just been using phx.gen.auth but would like to add social auth at some point so will be referring to this.

slouchpie · May 22, 2024, 8:04am

This guide uses :rand.bytes/1 to generate a password.

https://www.erlang.org/doc/apps/stdlib/rand

not cryptographically strong

The auto-generated code they are discussing uses :crypto.strong_random_bytes, just like the erlang docs recommend.

It is easily changed, but this is meant to be an auth guide.

marcin · May 22, 2024, 8:28am

@slouchpie thanks for a peer review! Indeed a grave mistake on my part. Now updated.

slouchpie · May 22, 2024, 8:29am

A swift and honourable response. You have my respect.

aar2dee2 · July 8, 2024, 6:24am

this is such a good blog post. Thanks!

ghannam80 · July 8, 2024, 8:27am

Thanks , very helpful blog. I think we need something for 2FA “Two factor authentication”.
It is becoming increasingly a security requirement for sensitive/super users access to applications.

slouchpie · July 8, 2024, 6:41pm

There is a lot of work done for this already.

Check this discussion:

https://elixirforum.com/t/i-added-2fa-to-the-phx-gen-auth-generator/63914/2

and this PR:

github.com/phoenixframework/phoenix

Add 2FA to the `phx.gen.auth` generator

phoenixframework:main ← RobinBoers:main

opened 09:11AM - 01 Jul 24 UTC

RobinBoers

+524 -30

Hi! I’ve been working on adding 2FA to the `phx.gen.auth` generator and wondered… whether I could maybe contribute my changes back to the upstream. I already [posted about it on the Elixir forum](https://elixirforum.com/t/i-added-2fa-to-the-phx-gen-auth-generator/63914) a few weeks back, but I didn't get much feedback there. My fork currently has: - Scannable QR code on the settings page (can be used with any authenticator app). - Codes can only be used once (as required by the spec). - Checks account for differences in time between devices and slow typing, by also allowing 30 secs before and after expiration. Feedback is greatly appreciated! I’m looking for feedback on code quality, proper style and security. In particular, I have a few questions: - Is the way the User module currently uses the Accounts module okay? - I’m manually Base64 {en,de}coding the secret before storing it using Ecto. Is there a better way to do this? - Is the way I’ve implemented this secure? To me it seems pretty solid, but I’m not a security expert. - I noticed the hashing library in the generator is dynamic. Is it desirable to also make the TOTP and QR-code generator libraries dynamic like that? I haven't written any tests yet, but am willing to do that if it's required to get it merged. **Edit**: Here's a [demo repo](https://git.dupunkto.org/axcelott/demo) generated like this: ```shell cd installer mix phx.new dev_app --dev cd dev_app mix phx.gen.auth Accounts User users ``` **Edit 2** @dvic said I should post screenshots, so here's a few: ![Screenshot 2024-07-01 at 11 35 15](https://github.com/phoenixframework/phoenix/assets/60298132/d93099eb-a2e7-4e0d-82a2-08641d00eb46) ![Screenshot 2024-07-01 at 11 37 00](https://github.com/phoenixframework/phoenix/assets/60298132/81fcca3f-f761-482b-ad7d-ca333329b072)

hhofner · November 4, 2024, 4:52am

Not adding much, but I still just want to say great blog, I enjoyed it and found it helpful.