amacedev
Can phx.gen.auth be used for API authentication?
Just curious if the basic auth framework generated by phx.gen.auth can be ‘easily’ converted to work with a JSON api.
Most Liked
derek-zhou
Cookie is designed to work without the JS frontend. By default, cookie session in phoneix is http only (not accessible by the js) and unencrypted (but signed so is tamper-proof). If you log in via conventional http that it is fine; if you want to have fancy login in javascript driven frontend, then it is not as easy to work with.
A bearer token is an opaque token, whereas a JWT token in the cookie session contains trusted data. With a bearer token you keep all session data server side in a ETS table or something, so it is safer and easier to work with in js.
MarthinL
I’d like to latch on to this question if I may.
My plan is to have my users sign up and log in using standard phoenix generated html. Essentially a customised version of the pages generated by:
mix pix.gen.auth Accounts User users
While they are logged in, users will interact on the site through a Vue Single Page Application which fetches and updates data using an API written in phoenix served from the same site.
What I’ve managed to do so far is to
- start with a phx.new project (i.e. with ecto and html),
- Vue-enabled it at the hand of Caleb Weeks’ blog post and Steven Pallen’s project,
- added authentication using phx.gen.auth and
- added a basic API added with phx.gen.json.
What I now need to figure out, with your help, is:
- where to find the token on the vue client side,
- how to get the token into the API call (I’m using axios),
- how to retrieve- and
- check the token again on the API side to limit API calls to only those arriving with valid and current tokens and also to retrieve “session” data linked to the token in the database (cached in ETS), which never the client code never get to see.
I’m aware that somewhere between none, some or even all of this is already taken care of by the generated code and/or various third-party libraries like Guardian. But I’m given to the idea that the best framework is no framework and want to ensure that I understand what the code I am using does and how.
So far, I am loving Elixir a lot, for that reason (I’ve come to Elixir from Erlang and PHP) but I am still very new to it.
al2o3cr
General comment: a typical API is not going to have any stateful behavior that would require a session.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








