Guardian Refresh Token In Cookie Pipeline

micahsoftdotexe · November 9, 2023, 3:29am

Greetings,
I am attempting to implement a jwt pattern in phoenix using guardian. What I am doing is that I am returning a short lived access token in the response and a long lived refresh token in the cookies. So far, I am able to send back a token back in a cookie using the following code:

with({:ok, jwt, _full_claims} <- Token.encode_and_sign(user, %{}, ttl: {1, :minute}),
      {:ok, cookieJWT, _full_claims} <- Token.encode_and_sign(user, %{}, [ttl: {1, :week}, type: :refresh])) do
        conn
        |> put_resp_cookie("refresh_token", cookieJWT, http_only: true)
        |> put_resp_content_type("application/json")
        |> send_resp(200, Jason.encode!(%{token: jwt}))

and I am trying to create a refresh method and guarding it with a pipeline that looks like the following:

plug Guardian.Plug.VerifySession, [refresh_from_cookie: true, key: "refresh_token"]
  plug Guardian.Plug.EnsureAuthenticated
  plug Guardian.Plug.LoadResource

The issue is that VerifySession does not appear to be able to verify the cookie (even though it appears to be sent) because EnsureAuthenticated returns an error. Is there something that I am doing wrong? I am pretty new to Phoenix and Elixir in general so any help would be greatly appreciated.

HappyBee · November 9, 2023, 3:59am

I’ve faced this earlier, but not using Guardian, What kinda web browser are you using ?? Chrome??
Normally backend has to use CORS header enabled
Chrome has some issues when using local computer(ie., backend & frontend on same machine). You can use NGINX for reverse proxy. For more info read this - https://medium.com/@dmadan86/run-chrome-browser-without-cors-by-disabling-web-security-d124ad4dd2cf

micahsoftdotexe · November 9, 2023, 4:23am

At the moment I am just attempting to use insomnia to hit the endpoints while I am in the early stages of developing. Once I get some of the backend done, I will attempt to use Firefox to test my frontend and how it interacts with the phoenix API.

HappyBee · November 9, 2023, 4:26am

Sounds good!

micahsoftdotexe · November 9, 2023, 2:10pm

I also realized that using the :refresh_from_cookie is supposed to refresh the token using the refresh token found in the key of the cookie so I attempted using the deprecated Guardian.Plug.VerifyCookie instead so that I could implement my own refreshing functionality and I am having the same issue. I did try the following in the controller and it could see the cookie: IO.puts(conn.req_cookies["refresh_token"]). I am just not sure what might be wrong.

HappyBee · November 9, 2023, 2:38pm

Hi Micah, what are you actually trying to do? Are you trying to build a single API and use it on mobile device and web browser?

I highly recommend using Pow if you’re just beginning … Guardian was bit confusing for me, so I switched to Pow. There’s much support for API building, also it has got great Mnesia(An inbuilt db/cache) for storing API access token and refresh token.

Would you mind If I send a private message here on the forum?

muelthe · November 9, 2023, 4:47pm

What is the error that you’re seeing from EnsureAuthenticated?

micahsoftdotexe · November 10, 2023, 2:33am

It returns the error of unauthenticated as a response (with a 401).

micahsoftdotexe · November 10, 2023, 2:35am

I was able to craft my own plug that is able to both grab the correct token and verifies it with the following:

defmodule MyApp.Auth.CookieTokenValidator do
  import Plug.Conn
  alias Guardian.Plug.Pipeline

  @behaviour Plug
  @impl Plug
  def init(opts), do: opts
  @impl Plug
  def call(conn, opts) do
    with {:ok, token} <- get_token_from_cookie(conn, opts),
    module <- Pipeline.fetch_module!(conn, opts),
    {:ok, claims} <- Guardian.decode_and_verify(module, token, %{}, opts) do
      conn
        |> Guardian.Plug.put_current_token(token, key: "default")
        |> Guardian.Plug.put_current_claims(claims, key: "default")
    else
     _error -> conn
      |> send_resp(401, Jason.encode!("Could not validate token"))
      |> halt()
    end
  end

  defp get_token_from_cookie(conn, opts) do
    key = Keyword.get(opts, :key, "token")
    token = conn.req_cookies[key]
    if token, do: {:ok, token}, else: :no_token_found
  end
end

but I would like to find the proper way to do it.

muelthe · November 10, 2023, 1:21pm

I had been working through an issue mself (hence the original question). I have a very simple setup (almost identical to the docs in conjunction with Ueberauth for an msoauth setup) and the problem for me was misconfiguration of the endpoint, specifically the SameSite config.

micahsoftdotexe · November 10, 2023, 10:03pm

Hmmm. That is interesting. I had followed several tutorials but it appeared like it was not able to fetch the cookie and that was why I decided to attempt to fetch it myself and utilize some of the functions within guardian to validate the value within the cookie.

micahsoftdotexe · November 15, 2023, 4:32pm

I apologize I just now saw this message. Feel free to send me a message. I will also check out Pow. From a quick glance, it has nice documentation on how to use it within the context of an api which is wonderful! It also looks like it is following the double submit cookie pattern which I am attempting to do!