Phoenix channels authentication with refresh token

aboozaid · October 22, 2021, 4:41pm

The flow of currently supported authentication through phoenix socket and channels is to use

connect(%{"token" => token}, socket, _connect_info)

and then a user just gets connected and can join any channel and listen for its events but what if an access token expired during listening or joining another channel? nothing happens because we just check the token in connect fun only. The solutions that come into my mind are

To verify token in every channel’s join and its events but I don’t know if that is the best choice!
To run a GenServer with a user token to broadcast an event if the access token expired and then terminate it

What do you think?

tomkonidas · October 22, 2021, 6:44pm

I do not think it matters if it expires, on connect verify the token and then assign the current user in the socket, and then you have access to the user in the assigns for you joins.
If you want to always have an active token in the client, you can use some sort of heartbeat that keeps on checking or if using JWT you can just look at when it expires and ask for a refreshed token.

aboozaid · October 22, 2021, 7:12pm

That’s what I’m trying to do but it doesn’t make sense to me to verify it on every channel’s join and its events, There should be a way like a middleware to verify there before access any channel and its events.

If I know when it expired how could you notify a user? (server side)

tomkonidas · October 22, 2021, 9:02pm

I guess I would create a user_auth/user/auth channel that is always connected and use that to check/verify/renew tokens between server and client

sb8244 · October 22, 2021, 11:57pm

First thing that comes to mind is to check validity on join and Process.send_after the time remaining difference to terminate the channel. If your client responds to the termination by checking it’s jwt validity and grabbing a new token, it should generally be pretty seamless.

You could handle this via the channel macro to get it across your entire system easily. Although, having a ton of Channels is probably rare.

aboozaid · November 12, 2021, 7:56am

Thanks for replying. I just used macro to handle this across all the channels. Here is the code

defmodule Api.Middleware do
  @moduledoc """
   The aim of using this is to provide a generic way
   to validate tokens across all channels.
  """
  defmacro middleware(head, [do: body]) do
    alias Api.Guardian
    {fn_name, args_ast} = Macro.decompose_call(head)
    [topic_arg, socket_arg] = args_ast

    quote do
      def unquote(fn_name)(unquote(topic_arg), payload = %{"token" => token}, unquote(socket_arg)) do
        case Guardian.decode_and_verify(token) do
          {:ok, _claims} -> unquote(body)
          {:error, reason} -> handle_auth_failure(reason)
        end
      end

      def unquote(fn_name)(unquote(topic_arg), _, unquote(socket_arg)), do: handle_auth_failure("token_not_found")

      def handle_auth_failure(reason), do: {:error, %{ reason: reason }}
    end
  end
end