I did some research on this topic, but I wasn’t able to find anything helpful.
We are converting a Phoenix 1.4 app into an umbrella app with three web apps. Each web app runs on its own endpoint. In production, the apps will be accessible via subdomains. So
y_web will be accessed through
y.tld.com respectively. We’re hosting the app on Heroku.
We’re not sure where to put Guardian and authentication. For now, we left guardian inside each web app in the umbrella to handle sign in and sign out. But that’s an awful lot of duplication.
Before we go on rewriting a bunch of stuff, if we extract guardian into its own app, say
auth_web, can we not depend on a session cookie on the domain level to make authentication available on
y_web, and so on? I think when we tried this, we ran into some issues with the Guardian token only working in the app where sign-in took place.
In regards to the session cookie being shared at the domain level, that should work. You’ll need to make sure you’re using the same secrets across all three apps. I believe phoenix uses some token for signing the session cookie and guardian uses some secret for signing the JWT.
There are a lot of moving parts and it’s hard to wrap my head around them. If I understand correctly, most people would:
- Separate Auth into its own app
- Have apps needing auth depend on the auth app (so you can sign in/out, call
Auth.Guardian.current_resource and so on)
- Have a single configuration at the umbrella level… or… each app to have its configuration but share the same guardian secret key?
I usually avoid umbrella apps personally. What you described seems consistent with the common practice. As for step 3, I would go for umbrella level config or app level for the auth app.
Does Heroku support multiple Phoenix endpoints running on different ports? Last time I checked it did not (although maybe it works if you’re using the new Docker support)
Also note that all configuration in an Umbrella app is shared in one global namespace.
Might be worthwhile taking a look at the Captain Fact api repo. It is an umbrella app that uses Guardian.
Thanks, that’s a great resource. But we have a bigger limitation. It looks like, as @axelson mentioned, Heroku doesn’t allow access to ports, so my idea of running
bar.tld.com as different umbrella apps with their own endpoints and ports won’t work after all.