Dear all,
I would like to make my SAAS aplication using only single login for every user email, I mean when they try to access using same email in another pc/laptop/mac they unable make it happen, it means like this scenario :
Hi
Assuming you are using mix phx.gen.auth, a users_tokens table (Schema) is created. You can change it so that, when a user tries to login, to check this table is there is already a token for him. If yes, you can destroy it.
If you are not using phx.gen.auth, you can just follow the same strategy. Create a table to keep your users sessions, every time a user tries to login, check from this table if an existing session exist for this user.
Please elaborate in code Sir
Not sure what you mean. Which part of it would you like me to write?
For me, its not about the code. Its about the logic. And the logic is there. Persist the user session, when a user tries to login from different device ou web client, delete the previous persisted session.
There is a guide about it in the official docs:
https://hexdocs.pm/phoenix/mix_phx_gen_auth.html
There is nothing about single login or OTP.
It is not about a single login, but a login with good practices.
It is a good starting point.
In my country, one account based on email would be disaster for SAAS business, imagine when 1 user email use by 1000 people
When you use mix phx gen auth you get the user_auth.ex file with this function
def log_in_user(conn, user, params \\ %{}) do
token = Accounts.generate_user_session_token(user)
user_return_to = get_session(conn, :user_return_to)
conn
|> renew_session()
|> put_token_in_session(token)
|> maybe_write_remember_me_cookie(token, params)
|> redirect(to: user_return_to || signed_in_path(conn))
end
You can put in another step here as the others have said where you check if there already is an active token for the user and then deny the login.
EDIT: Upon further consideration, I would rather modify the If-statement in the controller
You could modify this part of the code:
defp create(conn, %{"user" => user_params}, info) do
%{"email" => email, "password" => password} = user_params
if user = Accounts.get_user_by_email_and_password(email, password) do
conn
|> put_flash(:info, info)
|> UserAuth.log_in_user(user, user_params)
else
# In order to prevent user enumeration attacks, don't disclose whether the email is registered.
conn
|> put_flash(:error, "Invalid email or password")
|> put_flash(:email, String.slice(email, 0, 160))
|> redirect(to: ~p"/users/log_in")
end
end
And what do you do when they forget their password? You need email anyway to send them their new password or link to reset password. Or you can use an SMS or an external app, but given your problem with sharing emails, I doubt that mobile phone are not shared by many people as well ;D.
But if it’s like an intranet type of thing. For example, students that login with their IDs or some student card ID and some password you/department of the school or library or oganisation give them, why not. But then it would be best to implement it from scratch and forget the whole sending email and reseting thing altogether and the admin of that intranet website would be doing that manually or something when they reach for him or something.
Generally I’d advice to drop the existing session and starting a new one rather than not allowing the login if a session exists. That’ll be closer to “a single session active” as the latter might mean no session active, it’s just not known to the server that the existing one is no longer in use.
However this approach cannot prevent account sharing. Users can share cookies like they can share access credentials. It’s just a bit more effort required.
Then adapt it to use whatever you want to use.
As I said, the generated files are a good starting point, not a “fits-all” solution.
© Copyright Elixir Forum | Terms | Privacy & Cookies
