I am have followed this blog to setup guardian authentication for my api using JWT.
However, I am running into the following issues:
- I need to sign in twice before my authorization works
- The sign out isn’t working. Even after signing out I can still access the restricted routes.
mix.exs:
{:phoenix, "~> 1.4.0"},
{:phoenix_pubsub, "~> 1.1"},
{:phoenix_ecto, "~> 4.0"},
{:ecto_sql, "~> 3.0"},
{:postgrex, ">= 0.0.0"},
{:phoenix_html, "~> 2.11"},
{:phoenix_live_reload, "~> 1.2", only: :dev},
{:gettext, "~> 0.11"},
{:jason, "~> 1.0"},
{:plug_cowboy, "~> 2.0"},
{:distillery, "~> 2.0", runtime: false},
{:neuron, "~> 1.1.0"},
# User authentication
{:ueberauth, "~> 0.6.1"},
{:ueberauth_github, "~> 0.7"},
{:guardian, "~> 1.2.1"},
{:comeonin, "~> 5.0"},
{:bcrypt_elixir, "~> 2.0"},
router.ex
defmodule ProfiloWeb.Router do
use ProfiloWeb, :router
pipeline :jwt_authenticated do
plug ProfiloWeb.Pipe.UserAuth
end
pipeline :api do
plug :accepts, ["json"]
end
scope "/api/v1", ProfiloWeb do
pipe_through :api
post "/sign-up", UserController, :create
post "/sign-in", UserController, :sign_in
post "/sign-out", UserController, :sign_out
end
scope "/api/v1", ProfiloWeb do
pipe_through [:api, :jwt_authenticated]
get "/my-user", UserController, :show
end
end
user_auth.ex
defmodule ProfiloWeb.Pipe.UserAuth do
use Guardian.Plug.Pipeline,
otp_app: :profilo,
error_handler: ProfiloWeb.Pipe.UserAuthError,
module: Profilo.Accounts.Lib.Guardian
# If there is an authorization header, restrict it to an access token and validate it
plug Guardian.Plug.VerifyHeader, realm: "Bearer"
# Load the user if either of the verifications worked
plug Guardian.Plug.LoadResource
plug Guardian.Plug.EnsureAuthenticated
end
user_controller.ex
defmodule ProfiloWeb.UserController do
use ProfiloWeb, :controller
alias Profilo.Accounts.Lib.Guardian
alias Profilo.Accounts
alias Profilo.Accounts.Lib.User
action_fallback ProfiloWeb.FallbackController
def create(conn, %{"user" => user_params}) do
with {:ok, %User{} = user} <- Accounts.create_user(user_params),
{:ok, token, _claims} <- Guardian.encode_and_sign(user)
do
conn |> render("jwt.json", jwt: token)
end
end
def sign_in(conn, %{"email" => email, "password" => password}) do
case Accounts.token_sign_in(email, password) do
{:ok, token, _claims} ->
conn |> render("jwt.json", jwt: token)
_ ->
{:error, :unauthorized}
end
end
def show(conn, _params) do
user = Guardian.Plug.current_resource(conn)
conn |> render("user.json", user: user)
end
def sign_out(conn, _params) do
conn
|> Guardian.Plug.sign_out()
|> render("logout.json", _params)
end
end
Commands used:
➜ profilo git:(master) ✗ curl -XPOST -H "Content-type: application/json" -
d '{
"email": "test@gmal.com",
"password": "123456"
}' 'http://localhost:4000/api/v1/sign-in'
{"jwt":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIj
oxNTU3MTk1MzY2LCJpYXQiOjE1NTQ3NzYxNjYsImlzcyI6InByb2ZpbG8iLCJqdGkiOiI2MGVlY
mQ4Yy0xMTEwLTQ0MTctYTFhNS0xNDc0OTRmYjYxOGEiLCJuYmYiOjE1NTQ3NzYxNjUsInN1YiI6
IjEwIiwidHlwIjoiYWNjZXNzIn0.aFA4Z93JRYwITELD5uiWqWPwO4tfeYqA0cKDRz8T6VNLByz
4Oge3F4nGM9MFcVNMUnVl6oaozFsDW-NTMY8oUA"}%
➜ profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJI
UzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIj oxNTU3MTk1MzY2LCJpY
XQiOjE1NTQ3NzYxNjYsImlzcyI6InByb2ZpbG8iLCJqdGkiOiI2MGVlY mQ4Yy0xMTEwLTQ0MTc
tYTFhNS0xNDc0OTRmYjYxOGEiLCJuYmYiOjE1NTQ3NzYxNjUsInN1YiI6 IjEwIiwidHlwIjoiY
WNjZXNzIn0.aFA4Z93JRYwITELD5uiWqWPwO4tfeYqA0cKDRz8T6VNLByz 4Oge3F4nGM9MFcVN
MUnVl6oaozFsDW-NTMY8oUA' 'http://localhost:4000/api/v1/my-user'
{"error":"invalid_token"}%
➜ profilo git:(master) ✗ curl -XPOST -H "Content-type: application/json" -
d '{ "email": "test@gmal.com", "password": "123456"}' 'http://localhost:4000/api/v1/sign-in'{"jwt":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA"}%
➜ profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/my-user'
{"email":"test@gmal.com","id":10}%
➜ profilo git:(master) ✗ curl -XPOST -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/sign-out'
{"message":"Logged out"}%
➜ profilo git:(master) ✗ curl -XGET -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwcm9maWxvIiwiZXhwIjoxNTU3MTk1Mzg4LCJpYXQiOjE1NTQ3NzYxODgsImlzcyI6InByb2ZpbG8iLCJqdGkiOiJmM2JhMjM5ZS0yMjdkLTQ4ZTktODA5Zi0wZmM5NDBlMGRlNWUiLCJuYmYiOjE1NTQ3NzYxODcsInN1YiI6IjEwIiwidHlwIjoiYWNjZXNzIn0.n48SoK0bqkc-1Ms45udl-hS6j6bibUe33bTt4gQ7syxAUFbZhiRsiHm5TOv4nZY7j1lddAJ-tjSOHd--1oO-HA' 'http://localhost:4000/api/v1/my-user'
{"email":"test@gmal.com","id":10}%