mix phx.gen.auth to create an authentication system. Now the user session/reset password is part of the non-LiveView app while most authenticated points are “live”. The only exception is the UserSettings portion of the auth. I’d like these to be “live” as well.
The first thing I tried was moving the “update password” feature to live. So I made a LiveComponent to open a modal and, using phx-trigger-action, I can validate inside the LiveView component and then submit it to the
UserSettingsController to handle clearing the session and re-logging in the user. Then it’ll kick me back to the live session.
This all works fine, but I can’t help wonder if there may be a security issue here.
Is it safe to send the new password this way?
When the form validates, it automatically clears the password fields. I then have to repopulate the values using
socket.assignsbefore submitting over HTTP. Is there an issue with having the passwords in the
assignsor manually set using the