How to Logged Out Users Using Guardian Authentication - Elixir?

hariharasudhan94 · April 11, 2017, 5:54am

I am using Guardian for Authentication, After Token generated All the expected results working correctly,if user logged out EnsureAuthenticated working correctly, But if i delete the user from my db directly Guardian.Plug.EnsureAuthenticated still allow him to access Protected Page How can i rectify??

My router.ex

  pipeline :browser_auth do
    plug Guardian.Plug.VerifySession
    plug Guardian.Plug.LoadResource
    plug Guardian.Plug.EnsureAuthenticated, handler: MyApp.Web.SecurityController
  end

  scope "/", MyApp.Web do
    pipe_through [ :browser, :browser_auth ]
    get "/profile/show", ProfileController, :show
   end

Serializer.ex

   def for_token(user = %User{}), do: { :ok, "User:#{user.id}" }
   def for_token(_), do: { :error, "Unknown resource type" }

   def from_token("User:" <> id), do: { :ok, UserRepo.find_by_id(id) }
   def from_token(_), do: { :error, "Unknown resource type" }

Repo.ex

  def find_by_id(id) do
    filter = %{"_id" => BSON.ObjectId.decode!(id) }
    cursor = Mongo.find(:mongo, "users", filter, limit: 1)
    result = Enum.to_list(cursor)
    if length(result) == 1 do
      struct_from_map(hd(result))
    else
      {:error, id}
    end
  end

hlx · April 11, 2017, 12:32pm

Guardian.Plug.EnsureResource

Looks for a previously loaded resource. If not found, the :no_resource function is called on your handler.

hariharasudhan94 · April 11, 2017, 2:36pm

@hlx thank u so much,
I resolved by adding pipleline in router.ex

pipeline :browser_auth do
  plug Guardian.Plug.VerifySession
  plug Guardian.Plug.LoadResource
  plug Guardian.Plug.EnsureResource, handler: myApp.Web.SecurityController
  plug Guardian.Plug.EnsureAuthenticated, handler: myApp.Web.SecurityController
end

My Handler function which called when no resource is found:

def no_resource(conn,_params) do
  conn
  |>Guardian.Plug.sign_out
  |>redirect(to: security_path(conn, :login_new))
end

hariharasudhan94 · April 12, 2017, 5:19am

@hlx if i add the following code

conn
 |> Guardian.Plug.sign_out
 |> put_status(401)
 |> put_flash(:info, "Authentication required")
 |> redirect(to: security_path(conn, :login_new))

everything works correctly, but after adding put_status(401) it shows You are being redirected., but page not redirected until i click redirected, why adding status not allow to redirect the page

ryanwinchester · August 5, 2020, 12:30am

That’s because redirects are status 301 or 302, but you’re overriding that with 401