Unable to get the URI for a LiveView on_mount authorization hook

RobertoSchneiders · May 20, 2025, 6:04pm

I’m trying to get a centralized authentication/authorization system working by using the LiveView on_mount hook, not the handle_params.

This app has pages with different levels of authorization:

public: can be accessed by anyone, no need to be authenticated
require authentication: need authenticated users
require a specific user role: only users with specific roles can access (i.e :admin)

The users can live navigate through those pages, so an unauthenticated user may be able to click a button that navigates to a live view where authentication is required. So the objectives are pretty simple:

If an unauthenticated user is trying to (live) navigate to a LiveView that requires authentication, we redirect to login.
after logging in the user is redirected back to the page he wanted to access in the first place (important bit).
if the user is authenticated but not authorized, we just redirect to home and show a flash message.

I have a module that handles the app authorization based on the URI:

MyApp.authorized(user, uri)

My router:

  live_session :default,
    on_mount: [
      {MyAppWeb.UserAuth, :mount_current_user},
      {MyAppWeb.UserAuth, :ensure_authorized}
    ] do
...

How do I get or build the URI in the on_mount stage? I saw several forum posts and GitHub issues talking about using the handle_params instead. However, that creates several issues in my existing live views because the LiveViews on_mount are executing before authentication/authorization is done. Ideally, I would like to only run the LiveView code once authorization is done. I saw we use to have a few routing helpers (live_path) that would allow me to create the URI based on the live view module (socket.view) and params but that doesn’t exist anymore.

  def on_mount(:ensure_authorized, _params, _session, socket) do
    uri =  "" # <- how to get or build the URI at this stage???

    %{assigns: %{current_user: current_user}} = socket

    case Authorization.authorized(current_user, uri) do
      true ->
        socket
        |> Phoenix.Component.assign(:live_url, uri)
        |> cont()

      {:error, :not_authorized} ->
        socket
        |> Phoenix.LiveView.put_flash(:error, "Not Authorized")
        |> Phoenix.LiveView.redirect(to: ~p"/")
        |> halt()

      {:error, :requires_login} ->
        socket
        |> Phoenix.LiveView.put_flash(:error, "You must log in to access this page.")
        |> Phoenix.LiveView.redirect(to: ~p"/users/log_in?#{%{return_to: uri}}")
        |> halt()
    end
  end

krasenyp · May 20, 2025, 7:44pm

I’m not sure your idea would work because when you live navigate, the LiveView you’re navigating to doesn’t get mounted, only handle_params gets run.

Schultzer · May 20, 2025, 9:55pm

Yup, he would have to do both, I’ve built SSO authentication with assent and phoenix token that way, actually not only do you have to auth on mount and handle_params but also on regular plug. It can pay divided to centralize all this is in an Auth module that act as on_mount hook and a plug.

RobertoSchneiders · May 20, 2025, 11:06pm

I’m not sure I got it, can you elaborate? For me, every time I navigate from one LiveView to another, mount (and on_mount) is called. I think the only time when mount is not called is when you navigate using live_patch to the same LiveView, just changing URL parameters.

RobertoSchneiders · May 20, 2025, 11:09pm

Right, I’m definitely doing authentication/authorization on regular plug as well, which is way easier. Running the authorization layer in handle_params is also a non-issue since the URI is available, the problem is the on_mount, which doesn’t have the URI and I’m struggling to find a way to redirect to login and then back to the desired live view using on_mount.

mudspot · May 20, 2025, 11:34pm

Below is what I do in my codeset. Modify the track_page definition, (which has the url) to your liking - put your authorization codes there.

defmodule CheckDWeb.Pipelines.PageTracker do
  use CheckDWeb, :live_view

  def on_mount(
        _default,
        _params,
        _session,
        socket
      ) do
    if connected?(socket) do
      socket =
        socket
        |> attach_hook(:page_tracker, :handle_params, &track_page/3)

      {:cont, socket}
    else
      {:cont, socket}
    end
  end

  def track_page(_params, url, socket) do
    %{path: request_path} = URI.parse(url)

    {:cont, socket |> assign(:request_path, request_path)}
  end
end

In my router

  scope "/", CheckDWeb do
    pipe_through [:browser]

    live_session :default,
      on_mount: [CheckDWeb.Pipelines.PageTracker] do
      live "/create-profile", Live.MyData.CreateProfile
      live "/settings", Live.MyData.Settings, :main

Schultzer · May 20, 2025, 11:51pm

If the URL is dynamic, store it in the session and put the logic in a session controller, then your redirect in your mount will be generic.

mount sucks for these kind of operations, since it’s only handle_params that contain the URL as you state, so your only bet is to store in the session and handle_params assign the return_url when session expires for long lived live view, to this date there is no rock solid way to handle this, and you will have to duplicate work. In the end this comes down to LV design and since we’re at 1.0.0 I’m not sure there will ever be an ergonomic solution in mount.

You can always store it in a table in the database, but that is not ideal either.