I recently started working with LiveView and I am trying to wrap my mind around its concepts. I have an application that allows users to register and log-in to the application. Once the user clicks register, he is redirected to the register page that has register form. But now I would like to remove access to all register links and disable access to all the register routes by returning 401 (Unauthorized) status code. Would appreciate some guidance on where or how to achieve this. Thank you
I don’t think you yet grasp how it works. It’s not an API and it uses Websocket not http requests so you can’t just return 401 http status code. You should have authorization check in LiveView code that checks if user is authorized or not. So just logout user by removing their authorization and then redirect them to page where unauthorized users are usually redirected to.
I don’t how your authorization has been done but here is an example how I would do it.
Company I work for doesn’t use Elixir but because of requirements for our app I created a login system based on authorizations. So instead of having authorization cookie we have JWT token in a cookie that contains unique client id for the browser. Then when user logs in we write authorization for the client id to database. So we only need to remove authorization from database for that client id if we want to logout someone. This also allows us to logout user from all browsers they have used to log in.
Only thing we do for the cookie is when half of its time to expiration has been reached we (renew) create new cookie with same client id with new expiration date.
Because you can’t create cookies with websocket connection. One possibility is to have login page that is normal page (not LiveView page) that creates the cookie because cookies related to authorization should be httponly. Another possibility is have login as LiveView page but if client id cookie doesn’t exist redirect them through a normal http endpoint that creates the cookie and redirects back to LiveView login page. Then you have think how to renew the cookie when time comes. You probably get renew working by doing a XHR request from browser into a normal http endpoint that basically doesn’t do anything except check if expiration date of client id cookie is close enough to expiration and then returning renewed cookie if it is.
