How to get current path in on_mount hook?

Coffei · July 3, 2023, 7:27am

Hi, I am trying to implement authentication in Phoenix + LiveView and am stuck in
securing LiveView via on_mount hook.

What I need to do

I have an on_mount hook that checks if user is properly authenticated using a
session. If he is not authenticated I want to reload the page to trigger a Plug
for re-authentication (more on why I do it like that below). I have found no way
to do this correctly.

When I do just {:halt, socket}, it behaves the way I want: the socket is closed
and the page reloads after a while. Sometimes it takes a while but from UX
perspective this would be acceptable for me. However, LiveView doesn’t like this
and generates an error saying the hook X for lifecycle event :mount attempted to halt without redirecting.

OK, so I need to use redirect(socket, to: ...) before halting the socket, but
I want user to stay on the same URL so he doesn’t lose context. I haven’t found
a way to get current path in the on_mount hook. I can only redirect to fixed
path like /. I also tried using events, to push event to reload the page before
halting the socket, but the event didn’t get to the client and it would probably
not solve the error described above anyway.

So the first solution behaves like I want, and the second is probably correct
but doesn’t do what I want.

Why do I need it

The procedures above might seem a bit strange without some context. I am
implementing an authentication where I rely on an auth token from another
application. The token is stored in a cookie. I have a plug that reads the token
from the cookie, verifies it and stores the user ID in the session. If there is
no cookie or the token is invalid the user is redirected to the other app where
he logs in and is redirected back to my app. Apart from the user id we also store
an expiration in the session.

Then I have an on_mount hook that depends on the session (because I can’t get
to cookies from the hook). The session needs to contain valid user id and must
not be expired so the on_mount hook continues. The expiration is short - 10
minutes and prevents an attacker to open LV long after he got the initial page
(sort of like a max_age on the session itself).

If the session doesn’t contain a valid user id or it is expired the hook halts
the socket and should force user to reload the page so the plug is activated
again to re-validate the authentication.

I should also mention we do this, because the auth token is too big to put into
the session. We have many apps like this all running on the same host. If every
app would create a session with the auth token we would quickly run of out space.
In this case it seems right to me to rely on the original auth token in the cookie.
The apps are all running on the same machine and are part of the same erlang
cluster, so communication between the apps is fast.

Does anybody know if this has a solution?

codeanpeace · July 3, 2023, 10:41am

Have you tried socket.private.connect_info.request_path?

Also, here’s a recent related post:

Coffei · July 3, 2023, 11:07am

Yes the first thing I did was to inspect the whole socket to see if the path isn’t stored anywhere. Unfortunately the socket.private.connect_info.request_path is nil. I think only host and port was set there.

I also stumbled upon the handle_params hooks and tried that approach, but it seems such hooks run after the on_mount hook, so it’s no use to me I think.

LostKobrakai · July 3, 2023, 11:31am

You can delay redirecting until handle_params is called. No need to redirect in the on_mount handler.

codeanpeace · July 3, 2023, 11:52am

Hmm, instead of halting in the on_mount, you could try attaching a hook to handle_params that redirects and halts since the url will be available then.

  def on_mount(:reauth_check, _params, _session, socket) do
    ...
    if !authenticated? do
      {:cont, attach_hook(socket, :reload, :handle_params, fn
        _params, url, socket -> {:halt, redirect(socket, to: url)} end)
      )}
    else
      {:cont, socket}
    end
  end

Updated to add: As @LostKobrakai mentioned, you could just handle it entirely in handle_params. If you’re using live_session to group your live routes, then on_mount paired with attach_hook on handle_params could come in handy.

Coffei · July 3, 2023, 12:07pm

Thanks @LostKobrakai and @codeanpeace. Combination of on_mount and handle_params hook works great. Solved it like this:

  def on_mount(:ensure_authenticated, _params, session, socket) do
    if auth_ok do
      {:cont, socket}
    else
      socket =
        LiveView.attach_hook(socket, :redirect_and_halt, :handle_params, fn _, url, socket ->
          socket = LiveView.redirect(socket, to: URI.parse(url) |> Map.get(:path))
          {:halt, socket}
        end)

      {:cont, socket}
    end
  end