Implementing API Authentication with Guardian in Phoenix

mhanberg · December 1, 2017, 2:00am

Hi! I recently finished adding authentication to my Phoenix API, so I wanted to share what I learned.

I haven’t created authentication for an API only application before, so not using sessions/cookies was a little confusing at first. I hope this post can help others who haven’t writter an API before!

Thanks!

acrolink · December 1, 2017, 3:50am

@mhanberg, thank you very much. I want to ask, for how long is the token valid? How to configure that setting and does the token refresh / extends its validity the user actively is using it (i.e. does it expire only if it had been idle for some time)

mhanberg · December 1, 2017, 2:08pm

The documentation for the configuration you’re looking for is here https://github.com/ueberauth/guardian#jwt-configuration. These options go in the configuration in config.ex

The default TTL (time to live) for the JWT is 4 weeks and I believe you need to manually refresh the token. My post doesn’t detail that aspect

soundstruck · December 4, 2017, 8:07pm

Also have a look at https://github.com/ueberauth/guardian_db for a way to revoke tokens issued.

acrolink · December 6, 2017, 5:22pm

Would you elaborate this piece of code, how to handle email errors here (email not found or wrong password), i.e. how to return 401 if email not found or credentials are wrong, here:

def sign_in(conn, params) do
  # Find the user in the database based on the credentials sent with the request
  with %User{} = user <- Accounts.find(params.email) do
    # Attempt to authenticate the user
    with {:ok, token, _claims} <- Accounts.authenticate(%{user: user, password: login_cred.password}) do
      # Render the token
      render conn, "token.json", token: token
    end
  end
end

mhanberg · December 6, 2017, 5:45pm

I’m on a business trip right now, I’ll reply to this when I get some free
time. But in the meantime, look into the Phoenix Fallback Controller
functionality.

Relevant blog ->

https://swanros.com/2017/03/04/action-fallback-contexts-phoenix1-3-tiny-controllers/amp/

acrolink · December 6, 2017, 6:15pm

I have managed to put this code together:

defmodule AcrosapWeb.FallbackController do
  @moduledoc """
  Translates controller action results into valid `Plug.Conn` responses.
  See `Phoenix.Controller.action_fallback/1` for more details.
  """

  use AcrosapWeb, :controller

  def call(conn, {:error, %Ecto.Changeset{} = changeset}) do
    conn
    |> put_status(:unprocessable_entity)
    |> render(AcrosapWeb.ChangesetView, "error.json", changeset: changeset)
  end

  def call(conn, {:error, :not_found}) do
    conn
    |> put_status(:not_found)
    |> render(AcrosapWeb.ErrorView, :"404")
  end

  def call(conn, {:error, :unauthorized}) do
    conn
    |> put_status(:forbidden)
    |> json(%{status: "forbidden"})
  end


end

it is working except at the situation that the user object cannot be found by his email address, I get this error:

(FunctionClauseError) no function clause matching in AcrosapWeb.FallbackController.call/2

mhanberg · December 6, 2017, 9:42pm

I would take a look at the return value of the call you’re making in the with expression.

kokolegorille · December 6, 2017, 10:11pm

To get rid of this error message, You can add something like this

  def call(conn, args) do
    IO.inspect args
    conn
    |> put_status(:whatever)
    |> json(%{status: "whatever"})
  end

acrolink · December 7, 2017, 6:25am

Thanks @kokolegorille, based on your idea I have found that the code block needed to handle wrong email address (non existent in DB) is:

def call(conn, :nil) do
  conn
  |> put_status(:unauthorized)
  |> json(%{status: "unauthorized"})
end