I was hoping to discuss the merits between the two libraries. I’ve been comparing them for a greenfield project and as someone new to Elixir and Phoenix, I am struggling to see any major difference between them.
Things I see they share in common:
Both appear to be primarily front-end (not API) based - more for web apps versus API serving apps.
Both appear to be somewhat opinionated on context design.
Both have installers and seem straightforward to implement.
Both have both Authentication and Authorization built in.
Differences:
Phauxth seems to be more actively developed? Perhaps it is because it is because Phauth is newer or because the lead dev for Coherence is just tied up, but Coherence has had a security flaw open since August on github, whereas Phauxth seems to be regularly worked on by its maintainer.
But I don’t know. As stated, I’m still a pretty darn Jr dev. I’m curious to get opinions from the community? I’m certainly not trying to pit them against each other - I appreciate any and all work done within this community as well as the OSS community in general! I’m just hoping to get someone to explain the differences so I or anyone else who sees this can choose the best option for their specific needs.
(I deliberately kept Guardian/Uberauth out of the discussion because they really are in their own category - more of a “batteries not included” sorts of packages. Not an issue with that, just not something I am interested in at this point.)
As I recall coherence has only authentication, not authorization.
As for phxauth, I’ve not looked closely enough at it yet but I recall it doing only the absolute basics of authorization, not enough to really be useful except in the most basic of cases?
Phxauth is newer, hence more development and less usage thus far.
Personally neither are really a fit for what I need to do (API auth, non-local auth like oauth2 and so forth, in addition to needing detailed permission control for authorization).
Guardian is ‘mostly’ just JWT, useful in remote API’s, not in a local authentication system.
Uberauth is purely an authentication library, fantastic for front-end and back-end both, less useful than coherence for purely local logins, but absolutely fantastic for remote logins (like oauth2, ldap, whatever), doesn’t come with templates (which I actually prefer libraries not to come with).
Good to know, so yeah both phxauth and coherence are purely authentication (and coherence is local only, I think phxauth has ‘some’ remote auth support?).
Hi, I’m the maintainer of Phauxth, and it’s nice to see a little bit of interest in it
I don’t really know enough about coherence to comment on it, so I’ll just make a few points about what I’m trying to achieve with Phauxth:
It should be secure. This obviously applies to the core library, but it also has an impact on how I write documentation. I think that the documentation should make developers aware of security concerns as well as inform them about the basic workings of the library (this is also an important part of Comeonin, another library I maintain).
It should be easy to use. Again, documentation is important here. Also, the API is very straightforward - the library consists of Plugs (which you call with plug) and verify/3 functions, which are called like normal functions (with params, context module and options as arguments).
It should be extensible / customizable. By default, the number of options are quite limited, but I aim to make it as easy as possible to extend the base functionality so that developers can achieve their various goals. For example, it takes little effort to use a token implementation for authentication, or add additional checks to the login function.
