Guardian in an umbrella app and session sharing

I did some research on this topic, but I wasn’t able to find anything helpful.

We are converting a Phoenix 1.4 app into an umbrella app with three web apps. Each web app runs on its own endpoint. In production, the apps will be accessible via subdomains. So x_web and y_web will be accessed through x.tld.com and y.tld.com respectively. We’re hosting the app on Heroku.

We’re not sure where to put Guardian and authentication. For now, we left guardian inside each web app in the umbrella to handle sign in and sign out. But that’s an awful lot of duplication.

Before we go on rewriting a bunch of stuff, if we extract guardian into its own app, say auth_web, can we not depend on a session cookie on the domain level to make authentication available on x_web, y_web, and so on? I think when we tried this, we ran into some issues with the Guardian token only working in the app where sign-in took place.

+ apps
  core
  x_web
  y_web
  z_web

Any ideas?

In regards to the session cookie being shared at the domain level, that should work. You’ll need to make sure you’re using the same secrets across all three apps. I believe phoenix uses some token for signing the session cookie and guardian uses some secret for signing the JWT.

There are a lot of moving parts and it’s hard to wrap my head around them. If I understand correctly, most people would:

  1. Separate Auth into its own app
  2. Have apps needing auth depend on the auth app (so you can sign in/out, call Auth.Guardian.current_resource and so on)
  3. Have a single configuration at the umbrella level… or… each app to have its configuration but share the same guardian secret key?

I usually avoid umbrella apps personally. What you described seems consistent with the common practice. As for step 3, I would go for umbrella level config or app level for the auth app.

Does Heroku support multiple Phoenix endpoints running on different ports? Last time I checked it did not (although maybe it works if you’re using the new Docker support)

Also note that all configuration in an Umbrella app is shared in one global namespace.

1 Like

Might be worthwhile taking a look at the Captain Fact api repo. It is an umbrella app that uses Guardian.

2 Likes

Thanks, that’s a great resource. But we have a bigger limitation. It looks like, as @axelson mentioned, Heroku doesn’t allow access to ports, so my idea of running foo.tld.com and bar.tld.com as different umbrella apps with their own endpoints and ports won’t work after all.