venomnert

venomnert

Guardian Authentication using JWT

I am have followed this blog to setup guardian authentication for my api using JWT.

However, I am running into the following issues:

  1. I need to sign in twice before my authorization works
  2. The sign out isn’t working. Even after signing out I can still access the restricted routes.

mix.exs:

{:phoenix, "~> 1.4.0"},
      {:phoenix_pubsub, "~> 1.1"},
      {:phoenix_ecto, "~> 4.0"},
      {:ecto_sql, "~> 3.0"},
      {:postgrex, ">= 0.0.0"},
      {:phoenix_html, "~> 2.11"},
      {:phoenix_live_reload, "~> 1.2", only: :dev},
      {:gettext, "~> 0.11"},
      {:jason, "~> 1.0"},
      {:plug_cowboy, "~> 2.0"},
      {:distillery, "~> 2.0", runtime: false},
      {:neuron, "~> 1.1.0"},

      # User authentication
      {:ueberauth, "~> 0.6.1"},
      {:ueberauth_github, "~> 0.7"},
      {:guardian, "~> 1.2.1"},
      {:comeonin, "~> 5.0"},
      {:bcrypt_elixir, "~> 2.0"},

router.ex

defmodule ProfiloWeb.Router do
  use ProfiloWeb, :router

  pipeline :jwt_authenticated do
    plug ProfiloWeb.Pipe.UserAuth
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  scope "/api/v1", ProfiloWeb do
    pipe_through :api

    post "/sign-up", UserController, :create
    post "/sign-in", UserController, :sign_in
    post "/sign-out", UserController, :sign_out

  end

  scope "/api/v1", ProfiloWeb do
    pipe_through [:api, :jwt_authenticated]

    get "/my-user", UserController, :show
  end
end

user_auth.ex

defmodule ProfiloWeb.Pipe.UserAuth do
  use Guardian.Plug.Pipeline,
    otp_app: :profilo,
    error_handler: ProfiloWeb.Pipe.UserAuthError,
    module: Profilo.Accounts.Lib.Guardian


  # If there is an authorization header, restrict it to an access token and validate it
  plug Guardian.Plug.VerifyHeader, realm: "Bearer"

  # Load the user if either of the verifications worked
  plug Guardian.Plug.LoadResource

  plug Guardian.Plug.EnsureAuthenticated
end

user_controller.ex

defmodule ProfiloWeb.UserController do
  use ProfiloWeb, :controller

  alias Profilo.Accounts.Lib.Guardian
  alias Profilo.Accounts
  alias Profilo.Accounts.Lib.User

  action_fallback ProfiloWeb.FallbackController

  def create(conn, %{"user" => user_params}) do
    with {:ok, %User{} = user} <- Accounts.create_user(user_params),
        {:ok, token, _claims} <- Guardian.encode_and_sign(user)
    do
      conn |> render("jwt.json", jwt: token)
    end
  end

  def sign_in(conn, %{"email" => email, "password" => password}) do
    case Accounts.token_sign_in(email, password) do
      {:ok, token, _claims} ->
        conn |> render("jwt.json", jwt: token)
      _ ->
        {:error, :unauthorized}
    end
  end

  def show(conn, _params) do
    user = Guardian.Plug.current_resource(conn)
    conn |> render("user.json", user: user)
  end

  def sign_out(conn, _params) do
    conn
    |> Guardian.Plug.sign_out()
    |> render("logout.json", _params)
  end
end

Commands used:

➜  profilo git:(master) ✗ curl -XPOST -H "Content-type: application/json" -
d '{
  "email": "test@gmal.com",
  "password": "123456"
}' 'http://localhost:4000/api/v1/sign-in'
{"jwt":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIj
oxNTU3MTk1MzY2LCJpYXQiOjE1NTQ3NzYxNjYsImlzcyI6InByb2ZpbG8iLCJqdGkiOiI2MGVlY
mQ4Yy0xMTEwLTQ0MTctYTFhNS0xNDc0OTRmYjYxOGEiLCJuYmYiOjE1NTQ3NzYxNjUsInN1YiI6
IjEwIiwidHlwIjoiYWNjZXNzIn0.aFA4Z93JRYwITELD5uiWqWPwO4tfeYqA0cKDRz8T6VNLByz
4Oge3F4nGM9MFcVNMUnVl6oaozFsDW-NTMY8oUA"}%  
                         
➜  profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJI
UzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIj oxNTU3MTk1MzY2LCJpY
XQiOjE1NTQ3NzYxNjYsImlzcyI6InByb2ZpbG8iLCJqdGkiOiI2MGVlY mQ4Yy0xMTEwLTQ0MTc
tYTFhNS0xNDc0OTRmYjYxOGEiLCJuYmYiOjE1NTQ3NzYxNjUsInN1YiI6 IjEwIiwidHlwIjoiY
WNjZXNzIn0.aFA4Z93JRYwITELD5uiWqWPwO4tfeYqA0cKDRz8T6VNLByz 4Oge3F4nGM9MFcVN
MUnVl6oaozFsDW-NTMY8oUA' 'http://localhost:4000/api/v1/my-user'
{"error":"invalid_token"}%                                           
      
➜  profilo git:(master) ✗ curl -XPOST -H "Content-type: application/json" -
d '{  "email": "test@gmal.com",  "password": "123456"}' 'http://localhost:4000/api/v1/sign-in'{"jwt":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA"}%     
                            
➜  profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/my-user'
{"email":"test@gmal.com","id":10}%  
                                       
➜  profilo git:(master) ✗ curl -XPOST -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/sign-out'
{"message":"Logged out"}%        
                                          
➜  profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/my-user'
{"email":"test@gmal.com","id":10}%                                         

Marked As Solved

danschultzer

danschultzer

Pow Core Team

Here’s the guide for custom controllers: https://github.com/danschultzer/pow/blob/master/guides/CUSTOM_CONTROLLERS.md

You would use the plug methods as shown in the guide, and depending on how your API works, set up a custom authorization plug rather than using the default session plug: GitHub - pow-auth/pow: Robust, modular, and extendable user authentication system · GitHub

Also Liked

axelson

axelson

Scenic Core Team

Yeah that is actually expected because since because JWT is typically meant to be stateless, it doesn’t allow graceful revokation of tokens (i.e. logout). So many (including me) would argue that JWT is not a good fit for authentication (but it can be good for stateless authorization between semi-independent services). So instead of JWT I would recommend to use Phoenix tokens Phoenix.Token — Phoenix v1.8.8 or a framework like pow GitHub - pow-auth/pow: Robust, modular, and extendable user authentication system · GitHub

If you’re interested here is a two article series I like about why JWT is not a good fit for user sessions (even though it is often presented as if it is):

mythicalprogrammer

mythicalprogrammer

Yup.

I went from coherence to guardian to coherence to pow. The reason for me to abandon guardian was probably @axelson’s previous post. Or whoever posted that jwt article.

My web app doesn’t need it. JWT apparently is for web services API more than web app. If you want to sign out you have to keep track of token in a database, guardian have an extension for that iirc.


update: The extension: guardian db

It’s also under the readme section “Tracking Tokens” at their repo: https://github.com/ueberauth/guardian

venomnert

venomnert

Thank you for suggesting pow, I am currently checking it out. More importantly thanks for suggesting the article, which explains the why use session for user session management.

Where Next?

Popular in Questions Top

JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
beno
I will often find my self writing things similar to: case some_value do nil -&gt; something() "" -&gt; something() _ -&gt; somethi...
New
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
srinivasu
How to handle excepions in elixir? Suppose i have A, B, C ,D, E modules. and each module has get() function. A.get() method will call t...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Other popular topics Top

TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41539 114
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36128 110
New
Qqwy
Update: How to use the Blogs &amp; Podcasts section You can post links to your blog posts or podcasts either in one of the Official Blog...
3271 126479 1222
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New

We're in Beta

About us Mission Statement