But does Pow give you really more security though, and at what cost.
I’d like to remind that the generation tool relies on secured libraries/components that are independently updated. The hashing (argon2, pbkdf2, bcrypt, :crypto, …), Phoenix Token/Plug Session, …
I haven’t use Pow, but browsing through the docs, if you need the functionalities that the generation tool provides, you need to add pow-specific code in many layers of your application, and often through code injection.
Why? Because this auth code is not only about authenticating a user against an email and password, or verifying a token for email confirmation. It’s far more than that: actually most of the code is about providing form validation (changesets), controllers receiving auth-related requests, routes … it manages the flow of the request from the template or a link in an email, to routes, controllers, context, shema/changesets and the DB. And most code is actually not security-related. And comes with many possible customizations.
Just the amount of code injection (
use) to make pow achieve what the generation tool provides shows that.
Say we don’t trust our junior developers too much, what will prevent the developer to remove some pow changeset in the code? It’s not that if you’re using pow your code can never be compromised.
Maybe it’s interesting to evaluate precisely where things might mess up before arriving to the conclusion that generating that code in the codebase is not worth the risks – concretely which risks? For almost every generated context function, you have to provide a user, and in every query generated, we link the query with that user; as long as you provide the right user, I don’t see right now how one can mess it up.
The generation tool also allows the developers to know exactly how the authentication system works. I would prefer to work with developers that know what they’re doing instead of developers that use such a black-box, but only because this black-box is spread throughout all the layers of your application.
Browsing pow’s documentation, I don’t understand how to revoke a particular session in a running system. For example, the code generated by the tool stores a token for every session in the database. I can delete such a token to revoke one specific session; and I clearly see in which table/field as I have total control; how do I do that with pow? (maybe I missed something, but it’s to express my last point; not only the flow of the requests is highly custom, but even the authentication mechanism itself can come in many different shapes).
For me it’s
mix phx.gen.auth all the way.
Btw sorry if I sound harsh; while I believe changesets/context/controller/template/route/… all of this should be generated instead of injected with
use and all possible configs, I would still use a library that manages the cookies, provide different plugs to extract a token from a header/cookie, plugs for Absinthe, etc. there’s a lot of stuff (more specialized) one can build around the generated code. I’d also rather see more tutorials to educate devs, helping understanding and customizing the auth code, rather than relying on tools that inject code in an obscure way, in every layer.
PS: sorry if there are mistakes; again, I didn’t use Pow, I only judge to what I read quite quickly through the docs, and understand why jose took the other approach of generating code. I personally use the generation tool for my project as it makes more sense to me and just seems the most logical way, as to my understanding expressed above.