Plug: Per-route authentication

I’m using plug (without Phoenix), and I’ve got a router that contains something like the following:

get "/users/:user_id/favorites" do
    body = get_favorites(user_id)
    send_resp(conn, 200, body)
end

I’d like to use JWT to restrict access to this route based on :user_id, but using a secret associated with :user_id.

Using Guardian (or, more directly, using Joken), I can implement JWT checking for the entire application, but I can’t figure out how to attach authentication “middleware” to this route and get hold of the value of :user_id.

Any pointers?

:wave:

You can put your auth logic in a plug and route the requests that need to be authenticated via it.

One way to do it is by adding an extra “authenticated” router plug.

defmodule YourApp.MainRouter do
  use Plug.Router
  
  plug :match
  # ...
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "all unauthenticated requests can be handled in this router")
  end

  forward "/users", to: YourApp.AuthedRouter
end
defmodule YourApp.AuthedRouter do
  use Plug.Router

  plug :match
  plug YourApp.AuthPlug
  plug :dispatch

  get "/:user_id/favorites" do
    body = get_favorites(user_id)
    send_resp(conn, 200, body)
  end
end

But if you don’t have many routes that need to be authenticated, you can put the “whether to authenticate?” logic into the authenticating plug itself.

defmodule YourApp.AuthPlug
  @behaviour Plug

  def init(opts), do: opts # maybe list the routes that need to be authenticated in opts

  def call(%{path_info: ["users" | _rest]}, _opts) do
    # authenticate
  end

  def call(conn, _opts) do
    # don't authenticate
    conn
  end
end

Plug.Router accepts a private assign per route. Joken 1 leverage this by letting you customize Joken.Plug per route. This is useful when, for example, you don’t want a 401 on unmatched routes. See example here. Look for the second scenario. Implementation wise just be sure to plug it in between match and dispatch.

We are on the process of making Joken 2 which will have a different API. But if you are already using Joken maybe that can help.

Yeah, I saw that. It’s unclear to me how, or if it’s even possible, to pass a different secret (based on the matching path segment) to the verify function.

You can look at how we’ve implemented this plug (it is a single source file) here.

Since our implementation isn’t flexible enough for your use case, you can use it as a baseline if you want to keep a single router (though @idiot’s anwer would work just as well). Specifically, on this line you can fetch the path from the conn since it already matched.

Hope this helps.