How do I keep my token in session?

gabriel137 · February 7, 2020, 2:56pm

Hi, I’m making a system in which I authenticate the user by querying his token in an api and I have a return in which later I direct him to my home screen, the problem that when he is directed, the page does not store the authentication token and says who is not authorized to view that page. I tried several ways, does anyone know how to keep the authorization?

My function:

def login(conn, params) do
      case HTTPoison.post "http://localhost:4000/api/v1/session",[],[{"Authorization", "bb485518-564c-4415-9abf-ce82f8d2095f"}] do
        {:ok, %HTTPoison.Response{status_code: 200, body: body}} ->
          token = body
          |> Jason.decode
          |> (fn {:ok, x} -> x["data"]["token"] end).()

          conn
          |> put_status(302)
          |> put_req_header("Authorization", "#{token}")
          |> redirect(to: Routes.live_path(conn, BoardLive, 3))
          |> IO.inspect


        {:ok, %HTTPoison.Response{status_code: 404}} ->
          IO.puts "Not found :("
        {:error, %HTTPoison.Error{reason: reason}} ->
          IO.inspect reason
      end

dimitarvp · February 7, 2020, 3:05pm

Use Plug.Conn.put_session?

NobbZ · February 7, 2020, 3:08pm

This is usually not a response header, but a request header. It is used by the client to authenticate against the server.

It is not meant to be used by the server to tell the client something.

gabriel137 · February 7, 2020, 3:57pm

I’m trying put_resp_headers but don’t recognize the function: /

gabriel137 · February 7, 2020, 3:57pm

How would it be?

NobbZ · February 7, 2020, 3:59pm

You need a client that knows how to understand information you pass via headers. Unless you have an API client sitting there, it is unlikely to be true.

So if you talk with a browser, you either want to use cookies or sessions.

dimitarvp · February 7, 2020, 4:06pm

Not sure if I am understanding your scenario correctly but regardless. This piece of your code can be slightly enriched:

          conn
+         |> Plug.Conn.put_session(:user_token, token)
          |> put_status(302)
-         |> put_req_header("Authorization", "#{token}")
          |> redirect(to: Routes.live_path(conn, BoardLive, 3))
          |> IO.inspect

In a default setup project this will add “user_token” value to your browser cookies for your domain and current browser session. You can open dev console on your browser and see for yourself.

gabriel137 · February 7, 2020, 4:19pm

Tested, but still not authorizing

NobbZ · February 7, 2020, 4:30pm

Well, how do you check. Presence of a random session cookie is not worth anything. You need to read it from your application.

gabriel137 · February 7, 2020, 4:38pm

I’m having difficulty reading it in my application, or I’m doing something wrong: / I need you to read and store it until you log out

NobbZ · February 7, 2020, 4:46pm

You need to call Plug.Conn.get_session/2 where appropriate.

https://hexdocs.pm/plug/Plug.Conn.html#get_session/2

dimitarvp · February 7, 2020, 5:26pm

These are not comments that will engage the community to help you because:

You haven’t shown us what you did.
You seem to have not researched the suggested solutions. You would know that if you do put_session then obviously you should also call get_session wherever mandated by your expected workflow as @NobbZ pointed out. Did you read the docs of Plug.Conn.put_session? And get_session’s?
You don’t seem to have researched existing auth solutions. F.ex., have you looked at Pow? You could actually fully use that with just one single customisation (namely your way of fetching a token). Pow can do everything else.
Did you try searching this forum for “put_session”? Like this?

People in this forum are willing to help but not if you are responding with a single sentence. Be more specific and show us what you tried.

gabriel137 · February 7, 2020, 5:38pm

Yes my friend, I already do personalized authentication through POW, I already register and authenticate, my problem is being the session persistence that I am not getting, but since the post is ‘bad’, I remove it, thanks.

NobbZ · February 7, 2020, 5:42pm

Session handling is something that pow does for you as far as I understand the bullet point list from its README.

Perhaps you could tell us what you already have, and what exactly isn’t working.

Perhaps create a sscce on GitHub that shows what you have and what is he problem.

gabriel137 · February 7, 2020, 5:48pm

In my case, I needed to customize my controllers because we are authenticating through an API with a token in which we need to store it locally to persist sessions. Our git is business

I can register at the moment and log in, however, when redirecting to my main page he denies me authorization.

NobbZ · February 7, 2020, 5:55pm

I didn’t say, please publish all your code.

I asked for an example project that shows the issue.

We can’t help you without seeing what you did.

gabriel137 · February 7, 2020, 6:03pm

I forgot to explain something, sorry, in this case I am already logged in and I am using my generated token to try to enter a session in which I am not being authorized.

gabriel137 · February 7, 2020, 6:08pm

Okay, I’ll do one more research here,