Linuus

Linuus

Guardian/JWT vs Phoenix.Token?

Hi!

(There may be some rubber ducking going on here but… anyway :slight_smile: )

I’m building a backend API for a mobile app and try to figure out a good way to handle the authentication. I’ve already setup the initial user registration using Comeonin etc. so now I’m trying to settle on some token format to use.

I found this: User authentication in Phoenix? but it’s more focused on regular web apps and not APIs.

A lot of people seem to use Guardian and JWTs.

Is there any reason to use a JWT over something like Phoenix.Token?

Both JWT and Phoenix.Token can be verified without having them stored in the DB, but that means that we can’t invalidate the tokens (without invalidating ALL tokens). Right? This feels a bit scary to me. Am I just overly cautious?

To solve this, you have two options (that I know of):

  • Use a short expiration time
    • In a mobile app, the user has to sign in often which is annoying.
  • Store the tokens in the DB and only tokens that are present among the user’s tokens are valid
    • Why use a JWT or Phoenix.Token if you still check them in the DB? You can just store a random string without data encoded in it or other complex features.
    • The DB will end up with a lot of stale tokens (may not be a big issue, but still)

What do you use on your APIs?
Why do you use that?

Most Liked

michalmuskala

michalmuskala

I was recently given a link to an article, which perfectly summarises my thoughts on JWT: Stop using JWT for sessions - joepie91's Ramblings

karmajunkie

karmajunkie

If all you’re doing is storing the session token, I’d probably reach for ETS first. If you’ve already got a per-user process going (and its truly account-related, not something where you’d just be tacking on some random piece of info) then I’d look at making it a part of that state. But I’d probably still echo it out to a database unless you’re ok with everyone’s session dying when you do a deploy or restart your node for whatever reason, and you’re also ok with the complications that will arise from needing to do session lookup in a cluster (assuming you want to run more than one node in production.)

I don’t want to trivialize the function; session management is one of those things that gets real complicated real fast at the edges. And frankly I’m new enough at this ecosystem that I’d want to have someone more experienced weigh in on what would be idiomatic and proper. But do keep in mind what the draw for BEAM is in the first place: excellent concurrency and state management tools that go far beyond just a record in a database somewhere.

mbriggs

mbriggs

I’m not saying one thing is better then another, im actually arguing against the idea that there is one golden hammer. Everything has tradeoffs in authentication, you can list the negatives of anything and come to the conclusion it is bad. And be right! But there is also good.

Modern webapps tend to be written in something that lives on the browser, and communicates with the server via API. They also tend to have mobile apps, as well as public APIs. Phoenix apps tend to use websockets (channels). JWT works well for all of those cases, while session id in a cookie matching a row in a db work well for html forms. So authentication gets a lot easier for the other cases, and the tradeoff is invalidation gets more complicated. Are session cookies bad because they are really clunky to use in non browser situations? Of course not. Its all about tradeoffs and using the right tool for the job.

Where Next?

Popular in Questions Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
minhajuddin
I have seen a lot of code which picks the first element from a list using Enum.at(0) instead of List.first. Is there a reason why people ...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

Other popular topics Top

Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 30877 112
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New

We're in Beta

About us Mission Statement