I’m creating a Phoenix API backend that will be used with a Vue frontend app. I have experience building a traditional server-rendered app that uses Pow for authentication, but have never built a SPA before.
I’ve gone through https://hexdocs.pm/pow/api.html, which makes me question if Pow is the right choice for my case. Our app is an internal management system used by at most a dozen users, so stateless token authentication shouldn’t be a requirement (i.e. we can afford to check the DB on every request), and introducing the refresh token & access token distinction seems to introduce a lot of unnecessary complexity.
Would it be reasonable in my case to hand-roll something like this?
- Authenticate against a
- Store sever-side sessions in a
sessionstable in say Postgres, with roughly the following schema:
id, user_id, inserted_at, updated_at. The
updated_atcolumn can be used to implement a TTL, say 2 weeks, and can be updated every time an authenticated user sends a request.
- The token sent to the frontend app is simply a signed session ID.
- (I’m not sure what to do if I want to access additional information, say user permissions, in the frontend app though. In a server-rendered Pow app, I would just consult a
permissionsfield on the
current_userassign set by Pow. Any suggestion is appreciated!)