Session doesn't persist across web requests

phoenix
troubleshooting

#1

I have a full working web app with user authentication (sessions) and other capability that I am adding a JSON API to.
The first thing I’d like to allow is user login through the API.

I’m following this API guide: Building a JSON API in Elixir with Phoenix 1.4+

In searching, I found this thread that seems related, but really isn’t: [Programming Phoenix] How do sessions work in Programming Phoenix?

Here are the basics:

router.ex

defmodule MyAppWeb.Router do
  use MyAppWeb, :router

  ###################################################################
  #
  # Pieplines
  #
  ###################################################################

# ...

  pipeline :api do
    plug :accepts, ["json"]
    plug :fetch_session
  end

  pipeline :api_auth do
    plug :ensure_authenticated
  end



  ###################################################################
  #
  # Scopes
  #
  ###################################################################

# ...

  scope "/api", MyAppWeb do
     pipe_through :api
     post "/login", SessionController, :api_create
   end

  scope "/api", MyAppWeb do
     pipe_through [:api, :api_auth]
     get "/logout", SessionController, :api_delete
     get "/settings", SessionController, :api_settings
   end

  ###################################################################
  #
  # Functions
  #
  ###################################################################

  defp ensure_authenticated(conn, _opts) do
    current_user = get_session(conn, :current_user)

    if current_user do
      conn
    else
      conn
      |> put_status(:unauthorized)
      |> put_view(MyAppWeb.ErrorView)
      |> render("401.json", message: "Unauthenticated user.")
      |> halt
    end
  end

end

session_controller.ex

defmodule MyAppWeb.SessionController do
  use MyAppWeb, :controller

  alias MyApp.Repo
  alias MyApp.Account.Authentication

  plug :put_layout, "hero.html"



  ###################################################################
  #
  # Internal Controller Actions
  #
  ###################################################################

# ...



  ###################################################################
  #
  # External (API) Controller Actions
  #
  ###################################################################

  def api_create(conn, params) do
    case Authentication.login(params, Repo) do
      {:ok, user} ->
        conn
        |> put_session(:current_user, user.id)
        |> put_status(:ok)
        |> put_view(MyAppWeb.SessionView)
        |> render("login.json", user: user)
      :error ->
        conn
        |> delete_session(:current_user)
        |> put_status(:unauthorized)
        |> put_view(MyAppWeb.ErrorView)
        |> render("401.json", message: "Invalid credentials.")
    end
  end

  def api_delete(conn, _) do
    conn
    |> delete_session(:current_user)
    |> put_status(:ok)
    |> put_view(MyAppWeb.SessionView)
    |> render("logout.json", message: "Logged out.")
  end

  def api_settings(conn, _) do
    conn
    |> put_view(MyAppWeb.SessionView)
    |> render("settings.json", message: "Settings!")
  end

end

session_view.ex

defmodule MyAppWeb.SessionView do
  use MyAppWeb, :view

  alias MyAppWeb.SharedView

  def render("login.json", %{user: user}) do
    %{
      data: %{
        user: %{
          id: user.id,
          email: user.email
        }
      }
    }
  end

  def render("logout.json", %{message: message}) do
    %{data: %{detail: message}}
  end

  def render("settings.json", %{message: message}) do
    %{data: %{detail: message}}
  end

end

I may have left out some files you’d like to see. Let me know and I will add them.

I am first logging into the site using the API like this:
curl -H "Content-Type: application/json" -X POST -d '{"username":"bfenner","password":"PasswordPassword"}' http://localhost:4000/api/login

That returns me the correct JSON hash of:
{"data":{"user":{"email":"ben.fenner@myapp.com","id":1}}}

I should then be able to access routes behind the api_auth check, and something like this should work:
curl -H "Content-Type: application/json" -X GET http://localhost:4000/api/settings -c cookies.txt -b cookies.txt -i

Instead of getting the expected JSON hash of {"data":{"detail":"Settings!"}} I instead do not pass the api_auth check and get a return of {"errors":{"detail":"Unauthenticated user."}}.

I would expect the router pipeline plugs to fetch the correct session, then run it through the ensure_authenticated function (which it does) but the authentication check fails, because it fetches what looks like an empty session.
What am I doing wrong?


#2

Do you need cookies? The most API’s I have seen return a token upon login for you to sent back with every request in something like a header.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization


#3

You’re making lots of sense, and I thought that might be the case earlier. So I decided to test the API against the eventual final solution, which is another web app running in a browser that would retain the cookie. However, I got distracted and never did that.

Mostly because the tutorial I’m following shows this should be possible without a token, or cookies (or is part of the curl command used to retain those?). Which I’m now doubting…

Is this possible?


#4

According to that screenshot you forgot to add the cookie params in curl when you login. You need that so curl will persist the cookies so you can reuse them in the next request.


#5

Oh, I sure did!
I was using the curl login command from earlier in the tutorial, which lacked the important cookie params.

Lets see how this goes!

Edit: It worked as expected! Thank you hlx for the second set of eyes. What a silly mistake.