I’m using plug (without Phoenix), and I’ve got a router that contains something like the following:
get "/users/:user_id/favorites" do
body = get_favorites(user_id)
send_resp(conn, 200, body)
end
I’d like to use JWT to restrict access to this route based on :user_id, but using a secret associated with :user_id.
Using Guardian (or, more directly, using Joken), I can implement JWT checking for the entire application, but I can’t figure out how to attach authentication “middleware” to this route and get hold of the value of :user_id.
You can put your auth logic in a plug and route the requests that need to be authenticated via it.
One way to do it is by adding an extra “authenticated” router plug.
defmodule YourApp.MainRouter do
use Plug.Router
plug :match
# ...
plug :dispatch
get "/" do
send_resp(conn, 200, "all unauthenticated requests can be handled in this router")
end
forward "/users", to: YourApp.AuthedRouter
end
defmodule YourApp.AuthedRouter do
use Plug.Router
plug :match
plug YourApp.AuthPlug
plug :dispatch
get "/:user_id/favorites" do
body = get_favorites(user_id)
send_resp(conn, 200, body)
end
end
But if you don’t have many routes that need to be authenticated, you can put the “whether to authenticate?” logic into the authenticating plug itself.
defmodule YourApp.AuthPlug
@behaviour Plug
def init(opts), do: opts # maybe list the routes that need to be authenticated in opts
def call(%{path_info: ["users" | _rest]}, _opts) do
# authenticate
end
def call(conn, _opts) do
# don't authenticate
conn
end
end
Plug.Router accepts a private assign per route. Joken 1 leverage this by letting you customize Joken.Plug per route. This is useful when, for example, you don’t want a 401 on unmatched routes. See example here. Look for the second scenario. Implementation wise just be sure to plug it in between match and dispatch.
We are on the process of making Joken 2 which will have a different API. But if you are already using Joken maybe that can help.
Yeah, I saw that. It’s unclear to me how, or if it’s even possible, to pass a different secret (based on the matching path segment) to the verify function.
You can look at how we’ve implemented this plug (it is a single source file) here.
Since our implementation isn’t flexible enough for your use case, you can use it as a baseline if you want to keep a single router (though @idi527’s anwer would work just as well). Specifically, on this line you can fetch the path from the conn since it already matched.