I’ve used mix phx.gen.auth
to create an authentication system. Now the user session/reset password is part of the non-LiveView app while most authenticated points are “live”. The only exception is the UserSettings portion of the auth. I’d like these to be “live” as well.
The first thing I tried was moving the “update password” feature to live. So I made a LiveComponent to open a modal and, using phx-trigger-action, I can validate inside the LiveView component and then submit it to the UserSettingsController
to handle clearing the session and re-logging in the user. Then it’ll kick me back to the live session.
This all works fine, but I can’t help wonder if there may be a security issue here.
-
Is it safe to send the new password this way?
-
When the form validates, it automatically clears the password fields. I then have to repopulate the values using
socket.assigns
before submitting over HTTP. Is there an issue with having the passwords in theassigns
or manually set using thevalue
attribute?