I’ve been having (too much?) fun building stuff using Phoenix, so I thought I would try to dive into a realm I’ve always been uncomfortable with, authentication. I’ve only really worked on projects that didn’t need auth in the past, so I really feel out of my league… I worked through a pretty great tutorial on passwordless auth using tokens and email verification, but I’m left feeling confused with how the flow works from here.
I see the user is logged in via Phoenix.Token.verify
which checks the token it created earlier to ensure that it is still valid. But now what? I feel like I should be making a plug like Myapp.EnsureToken
(and hopefully it would be able to fetch the current user data so that I could display their name and such on pages, or maybe I need a Myapp.CurrentUser
plug too?) and sticking it in a pipeline like :token_req
then scoping pages that I want to have auth with this pipeline. In my mind something like:
# web/router.ex
...
pipeline :token_req do
plug Myapp.EnsureToken
plug Myapp.CurrentUser
end
...
scope "/", Myapp do
pipe_through [:browser]
get "/signin/:token", SessionController, :show, as: :signin
resources "/signin", SessionController, only: [:new, :create, :delete]
resources "/register", UserController, only: [:new, :create]
resources "/", PageController, only: [:index]
scope "/verified", Verified, as: :verified do
pipe_through [:token_req]
resources "/", PageController, only: [:index]
end
end
...
Is this the right idea? Or do I somehow not need these things with token (and if not, how does Phoenix know what’s happening with the token)?
If anyone has a good resource, or examples of the right kind of implementation for this kind of thing, I’d appreciate it if you could point me in the right direction. Thanks!