venomnert
Guardian Authentication using JWT
I am have followed this blog to setup guardian authentication for my api using JWT.
However, I am running into the following issues:
- I need to sign in twice before my authorization works
- The sign out isn’t working. Even after signing out I can still access the restricted routes.
mix.exs:
{:phoenix, "~> 1.4.0"},
{:phoenix_pubsub, "~> 1.1"},
{:phoenix_ecto, "~> 4.0"},
{:ecto_sql, "~> 3.0"},
{:postgrex, ">= 0.0.0"},
{:phoenix_html, "~> 2.11"},
{:phoenix_live_reload, "~> 1.2", only: :dev},
{:gettext, "~> 0.11"},
{:jason, "~> 1.0"},
{:plug_cowboy, "~> 2.0"},
{:distillery, "~> 2.0", runtime: false},
{:neuron, "~> 1.1.0"},
# User authentication
{:ueberauth, "~> 0.6.1"},
{:ueberauth_github, "~> 0.7"},
{:guardian, "~> 1.2.1"},
{:comeonin, "~> 5.0"},
{:bcrypt_elixir, "~> 2.0"},
router.ex
defmodule ProfiloWeb.Router do
use ProfiloWeb, :router
pipeline :jwt_authenticated do
plug ProfiloWeb.Pipe.UserAuth
end
pipeline :api do
plug :accepts, ["json"]
end
scope "/api/v1", ProfiloWeb do
pipe_through :api
post "/sign-up", UserController, :create
post "/sign-in", UserController, :sign_in
post "/sign-out", UserController, :sign_out
end
scope "/api/v1", ProfiloWeb do
pipe_through [:api, :jwt_authenticated]
get "/my-user", UserController, :show
end
end
user_auth.ex
defmodule ProfiloWeb.Pipe.UserAuth do
use Guardian.Plug.Pipeline,
otp_app: :profilo,
error_handler: ProfiloWeb.Pipe.UserAuthError,
module: Profilo.Accounts.Lib.Guardian
# If there is an authorization header, restrict it to an access token and validate it
plug Guardian.Plug.VerifyHeader, realm: "Bearer"
# Load the user if either of the verifications worked
plug Guardian.Plug.LoadResource
plug Guardian.Plug.EnsureAuthenticated
end
user_controller.ex
defmodule ProfiloWeb.UserController do
use ProfiloWeb, :controller
alias Profilo.Accounts.Lib.Guardian
alias Profilo.Accounts
alias Profilo.Accounts.Lib.User
action_fallback ProfiloWeb.FallbackController
def create(conn, %{"user" => user_params}) do
with {:ok, %User{} = user} <- Accounts.create_user(user_params),
{:ok, token, _claims} <- Guardian.encode_and_sign(user)
do
conn |> render("jwt.json", jwt: token)
end
end
def sign_in(conn, %{"email" => email, "password" => password}) do
case Accounts.token_sign_in(email, password) do
{:ok, token, _claims} ->
conn |> render("jwt.json", jwt: token)
_ ->
{:error, :unauthorized}
end
end
def show(conn, _params) do
user = Guardian.Plug.current_resource(conn)
conn |> render("user.json", user: user)
end
def sign_out(conn, _params) do
conn
|> Guardian.Plug.sign_out()
|> render("logout.json", _params)
end
end
Commands used:
➜ profilo git:(master) ✗ curl -XPOST -H "Content-type: application/json" -
d '{
"email": "test@gmal.com",
"password": "123456"
}' 'http://localhost:4000/api/v1/sign-in'
{"jwt":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIj
oxNTU3MTk1MzY2LCJpYXQiOjE1NTQ3NzYxNjYsImlzcyI6InByb2ZpbG8iLCJqdGkiOiI2MGVlY
mQ4Yy0xMTEwLTQ0MTctYTFhNS0xNDc0OTRmYjYxOGEiLCJuYmYiOjE1NTQ3NzYxNjUsInN1YiI6
IjEwIiwidHlwIjoiYWNjZXNzIn0.aFA4Z93JRYwITELD5uiWqWPwO4tfeYqA0cKDRz8T6VNLByz
4Oge3F4nGM9MFcVNMUnVl6oaozFsDW-NTMY8oUA"}%
➜ profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJI
UzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIj oxNTU3MTk1MzY2LCJpY
XQiOjE1NTQ3NzYxNjYsImlzcyI6InByb2ZpbG8iLCJqdGkiOiI2MGVlY mQ4Yy0xMTEwLTQ0MTc
tYTFhNS0xNDc0OTRmYjYxOGEiLCJuYmYiOjE1NTQ3NzYxNjUsInN1YiI6 IjEwIiwidHlwIjoiY
WNjZXNzIn0.aFA4Z93JRYwITELD5uiWqWPwO4tfeYqA0cKDRz8T6VNLByz 4Oge3F4nGM9MFcVN
MUnVl6oaozFsDW-NTMY8oUA' 'http://localhost:4000/api/v1/my-user'
{"error":"invalid_token"}%
➜ profilo git:(master) ✗ curl -XPOST -H "Content-type: application/json" -
d '{ "email": "test@gmal.com", "password": "123456"}' 'http://localhost:4000/api/v1/sign-in'{"jwt":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA"}%
➜ profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/my-user'
{"email":"test@gmal.com","id":10}%
➜ profilo git:(master) ✗ curl -XPOST -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/sign-out'
{"message":"Logged out"}%
➜ profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/my-user'
{"email":"test@gmal.com","id":10}%
Marked As Solved
danschultzer
Here’s the guide for custom controllers: https://github.com/danschultzer/pow/blob/master/guides/CUSTOM_CONTROLLERS.md
You would use the plug methods as shown in the guide, and depending on how your API works, set up a custom authorization plug rather than using the default session plug: GitHub - pow-auth/pow: Robust, modular, and extendable user authentication system · GitHub
Also Liked
axelson
Yeah that is actually expected because since because JWT is typically meant to be stateless, it doesn’t allow graceful revokation of tokens (i.e. logout). So many (including me) would argue that JWT is not a good fit for authentication (but it can be good for stateless authorization between semi-independent services). So instead of JWT I would recommend to use Phoenix tokens Phoenix.Token — Phoenix v1.8.8 or a framework like pow GitHub - pow-auth/pow: Robust, modular, and extendable user authentication system · GitHub
If you’re interested here is a two article series I like about why JWT is not a good fit for user sessions (even though it is often presented as if it is):
mythicalprogrammer
Yup.
I went from coherence to guardian to coherence to pow. The reason for me to abandon guardian was probably @axelson’s previous post. Or whoever posted that jwt article.
My web app doesn’t need it. JWT apparently is for web services API more than web app. If you want to sign out you have to keep track of token in a database, guardian have an extension for that iirc.
update: The extension: guardian db
It’s also under the readme section “Tracking Tokens” at their repo: https://github.com/ueberauth/guardian
venomnert
Thank you for suggesting pow, I am currently checking it out. More importantly thanks for suggesting the article, which explains the why use session for user session management.








