Guardian Authentication using JWT

Phoenix Forum Questions / Help
, ,
1

I am have followed this blog to setup guardian authentication for my api using JWT.

However, I am running into the following issues:

  1. I need to sign in twice before my authorization works
  2. The sign out isn’t working. Even after signing out I can still access the restricted routes.

mix.exs:

{:phoenix, "~> 1.4.0"},
      {:phoenix_pubsub, "~> 1.1"},
      {:phoenix_ecto, "~> 4.0"},
      {:ecto_sql, "~> 3.0"},
      {:postgrex, ">= 0.0.0"},
      {:phoenix_html, "~> 2.11"},
      {:phoenix_live_reload, "~> 1.2", only: :dev},
      {:gettext, "~> 0.11"},
      {:jason, "~> 1.0"},
      {:plug_cowboy, "~> 2.0"},
      {:distillery, "~> 2.0", runtime: false},
      {:neuron, "~> 1.1.0"},

      # User authentication
      {:ueberauth, "~> 0.6.1"},
      {:ueberauth_github, "~> 0.7"},
      {:guardian, "~> 1.2.1"},
      {:comeonin, "~> 5.0"},
      {:bcrypt_elixir, "~> 2.0"},

router.ex

defmodule ProfiloWeb.Router do
  use ProfiloWeb, :router

  pipeline :jwt_authenticated do
    plug ProfiloWeb.Pipe.UserAuth
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  scope "/api/v1", ProfiloWeb do
    pipe_through :api

    post "/sign-up", UserController, :create
    post "/sign-in", UserController, :sign_in
    post "/sign-out", UserController, :sign_out

  end

  scope "/api/v1", ProfiloWeb do
    pipe_through [:api, :jwt_authenticated]

    get "/my-user", UserController, :show
  end
end

user_auth.ex

defmodule ProfiloWeb.Pipe.UserAuth do
  use Guardian.Plug.Pipeline,
    otp_app: :profilo,
    error_handler: ProfiloWeb.Pipe.UserAuthError,
    module: Profilo.Accounts.Lib.Guardian


  # If there is an authorization header, restrict it to an access token and validate it
  plug Guardian.Plug.VerifyHeader, realm: "Bearer"

  # Load the user if either of the verifications worked
  plug Guardian.Plug.LoadResource

  plug Guardian.Plug.EnsureAuthenticated
end

user_controller.ex

defmodule ProfiloWeb.UserController do
  use ProfiloWeb, :controller

  alias Profilo.Accounts.Lib.Guardian
  alias Profilo.Accounts
  alias Profilo.Accounts.Lib.User

  action_fallback ProfiloWeb.FallbackController

  def create(conn, %{"user" => user_params}) do
    with {:ok, %User{} = user} <- Accounts.create_user(user_params),
        {:ok, token, _claims} <- Guardian.encode_and_sign(user)
    do
      conn |> render("jwt.json", jwt: token)
    end
  end

  def sign_in(conn, %{"email" => email, "password" => password}) do
    case Accounts.token_sign_in(email, password) do
      {:ok, token, _claims} ->
        conn |> render("jwt.json", jwt: token)
      _ ->
        {:error, :unauthorized}
    end
  end

  def show(conn, _params) do
    user = Guardian.Plug.current_resource(conn)
    conn |> render("user.json", user: user)
  end

  def sign_out(conn, _params) do
    conn
    |> Guardian.Plug.sign_out()
    |> render("logout.json", _params)
  end
end

Commands used:

➜  profilo git:(master) ✗ curl -XPOST -H "Content-type: application/json" -
d '{
  "email": "test@gmal.com",
  "password": "123456"
}' 'http://localhost:4000/api/v1/sign-in'
{"jwt":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIj
oxNTU3MTk1MzY2LCJpYXQiOjE1NTQ3NzYxNjYsImlzcyI6InByb2ZpbG8iLCJqdGkiOiI2MGVlY
mQ4Yy0xMTEwLTQ0MTctYTFhNS0xNDc0OTRmYjYxOGEiLCJuYmYiOjE1NTQ3NzYxNjUsInN1YiI6
IjEwIiwidHlwIjoiYWNjZXNzIn0.aFA4Z93JRYwITELD5uiWqWPwO4tfeYqA0cKDRz8T6VNLByz
4Oge3F4nGM9MFcVNMUnVl6oaozFsDW-NTMY8oUA"}%  
                         
➜  profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJI
UzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIj oxNTU3MTk1MzY2LCJpY
XQiOjE1NTQ3NzYxNjYsImlzcyI6InByb2ZpbG8iLCJqdGkiOiI2MGVlY mQ4Yy0xMTEwLTQ0MTc
tYTFhNS0xNDc0OTRmYjYxOGEiLCJuYmYiOjE1NTQ3NzYxNjUsInN1YiI6 IjEwIiwidHlwIjoiY
WNjZXNzIn0.aFA4Z93JRYwITELD5uiWqWPwO4tfeYqA0cKDRz8T6VNLByz 4Oge3F4nGM9MFcVN
MUnVl6oaozFsDW-NTMY8oUA' 'http://localhost:4000/api/v1/my-user'
{"error":"invalid_token"}%                                           
      
➜  profilo git:(master) ✗ curl -XPOST -H "Content-type: application/json" -
d '{  "email": "test@gmal.com",  "password": "123456"}' 'http://localhost:4000/api/v1/sign-in'{"jwt":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA"}%     
                            
➜  profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/my-user'
{"email":"test@gmal.com","id":10}%  
                                       
➜  profilo git:(master) ✗ curl -XPOST -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/sign-out'
{"message":"Logged out"}%        
                                          
➜  profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/my-user'
{"email":"test@gmal.com","id":10}%
2

Yeah that is actually expected because since because JWT is typically meant to be stateless, it doesn’t allow graceful revokation of tokens (i.e. logout). So many (including me) would argue that JWT is not a good fit for authentication (but it can be good for stateless authorization between semi-independent services). So instead of JWT I would recommend to use Phoenix tokens https://hexdocs.pm/phoenix/Phoenix.Token.html or a framework like pow https://github.com/danschultzer/pow

If you’re interested here is a two article series I like about why JWT is not a good fit for user sessions (even though it is often presented as if it is):

8 Likes
3

Yup.

I went from coherence to guardian to coherence to pow. The reason for me to abandon guardian was probably @axelson’s previous post. Or whoever posted that jwt article.

My web app doesn’t need it. JWT apparently is for web services API more than web app. If you want to sign out you have to keep track of token in a database, guardian have an extension for that iirc.

update: The extension: guardian db

It’s also under the readme section “Tracking Tokens” at their repo: https://github.com/ueberauth/guardian

2 Likes
4

Thank you for suggesting pow, I am currently checking it out. More importantly thanks for suggesting the article, which explains the why use session for user session management.

1 Like
5

Also @axelson or @mythicalprogrammer, do you have any experiencing using pow with react? I am trying to serve a react registration form rather than using the form that is provided with pow, but i’m not sure how to accomplish it.

6

You can customize the templates in Pow: https://github.com/danschultzer/pow#modify-templates

1 Like
7

I’ve never done React. So I cannot help you on that.

8

Thanks for the suggestion it helped me out, but is there any way for me to customize pow controllers? For example, I want POST /registration to accept json rather than html.

9

Here’s the guide for custom controllers: https://github.com/danschultzer/pow/blob/master/guides/CUSTOM_CONTROLLERS.md

You would use the plug methods as shown in the guide, and depending on how your API works, set up a custom authorization plug rather than using the default session plug: https://github.com/danschultzer/pow#authorization-plug

1 Like