dave0

dave0

LiveView Security with phx.gen.auth

I’ve used mix phx.gen.auth to create an authentication system. Now the user session/reset password is part of the non-LiveView app while most authenticated points are “live”. The only exception is the UserSettings portion of the auth. I’d like these to be “live” as well.

The first thing I tried was moving the “update password” feature to live. So I made a LiveComponent to open a modal and, using phx-trigger-action, I can validate inside the LiveView component and then submit it to the UserSettingsController to handle clearing the session and re-logging in the user. Then it’ll kick me back to the live session.

This all works fine, but I can’t help wonder if there may be a security issue here.

  1. Is it safe to send the new password this way?

  2. When the form validates, it automatically clears the password fields. I then have to repopulate the values using socket.assigns before submitting over HTTP. Is there an issue with having the passwords in the assigns or manually set using the value attribute?

Marked As Solved

f0rest8

f0rest8

I think you might find this thread helpful.

I’m not totally following your question but your change_password_component.html.leex (or equivalent) might look something similar to this:

<%= f = form_for @password_changeset, Routes.person_settings_path(@socket, :update_password),
        id: "form-update-password",
        phx_change: "validate_password",
        phx_submit: "update_password",
        phx_trigger_action: @password_trigger_action,
        phx_target: @myself %>
  ...
  <%= hidden_input f, :action, name: "action", value: "update_password" %>
  <%= password_input f, :password, value: input_value(f, :password) %>
  ...
</form>

I’ve stripped out a lot, but the input_value/2 from Phoenix.HTML needs to be set on your password field.

And you use the update/2 callback for Phoenix.LiveComponent in your change_password_component.ex file (or equivalent):

  @impl true
  def update(assigns, socket) do
    if socket.assigns[:current_person] do
      {:ok, socket}
    else
      {:ok,
       socket
       |> assign(:current_person, assigns.current_person)
       |> assign(:password_changeset, Accounts.change_person_password(assigns.current_person))
       |> assign(:current_password, nil)
       |> assign(:password_trigger_action, false)
      }
    end
  end
  ...

You’d also have handle_event/3 callbacks for "validate_password" and "update_password", or whatever you’d like to call those actions.

I’m planning to add another Medium post on switching the settings page over to a Live View page as a continuation of my other two posts (which you can find in the aforementioned thread), and I will update @slouchpie’s thread accordingly.

Hope this helps :heart:

Also Liked

dave0

dave0

Thanks, that was very helpful. In the other thread, you mentioned how bytepack_archive also moved some stuff into LiveView and I was just looking at that archive. Great to know they’re doing the same things I was questioning in this thread.

Where Next?

Popular in Questions Top

New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
Kurisu
For example for a current url like http://localhost:4000/cosmetic/products?_utf8=✓&amp;query=perfume&amp;page=2, I would like to get: ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
srinivasu
How to handle excepions in elixir? Suppose i have A, B, C ,D, E modules. and each module has get() function. A.get() method will call t...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New

Other popular topics Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39467 209
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement