I am currently using Guardian to authenticate my client-side react app with JWTs
I have two problems.
I’d like use multiple subdomains. Saving the JWT in localstorage does not work for this as it is not cross-domain. Instead I am contemplating saving the JWT inside a cookie instead.
I’d like to use the same controller actions as in 1. for my public-facing API, but instead use a access token approach in this case.
So what is a good way to have different auth schemes, while reusing controllers?
You could keep a cookie www.yoursalespage.com so you know what subdomains that user has… but force them to login at their subdomain so you can keep the jwt in local storage.
I don’t think there’s anything wrong with storing JWT in a cookie. Cookies and localstorage suffers from the same XSS vulnerabilities, and as long as you’re not sending the token by default with every request you should be safe from CSRF. The only difference would then be the size of the storage (localstorage can store bigger-sized content). With cookie you also gain the cross-domain capability.
For number 2, I think it’s only a case of defining a pipeline and scope. I never tried it, but I assume Phoenix router would allow different routes to have the same handler function?
You’re right, Phoenix router with pipelines and scopes worked perfectly.
Only problem I am having now is that Guardian does not seem to allow authenticating sockets using the cookie, as you must explicitly pass in the JWT on connection