Validate cookie in guardian

greatisgreat · May 16, 2021, 4:36pm

Is there a way to validate the cookie instead of validating authorization header in guardian?

thanks

benwilson512 · May 17, 2021, 3:07am

Sure, what have you tried so far?

greatisgreat · May 17, 2021, 5:24am

I send the cookie from the server using
conn
|> Plug.Conn.put_resp_cookie(“token”,token,http_only: true)
|> Plug.Conn.send_resp(:no_content,"")

but i get : unauthenticated from Guardian.Plug.EnsureAuthenticated

Is there anything i am missing?

Thanks

jhefreyzz · May 17, 2021, 10:57am

Have you tried adding Guardian.Plug.VerifyCookie to your router.ex pipeline?

I’m not sure about this one, but as I’ve understood, that plug fetches token from cookie (correct me if I’m wrong).

If you have a separate server for frontend, please ensure that you’re adding credentials: 'include' (fetch api) or withCredentials: true (axios).

greatisgreat · May 17, 2021, 4:04pm

Guardian.Plug.VerifyCookie doesnt seem to be working.I get nil trying to get the token using
Guardian.Plug.current_token(conn).

This is the conn

%Plug.Conn{
adapter: {Plug.Cowboy.Conn, :…},
assigns: %{},
before_send: [#Function<0.93523768/1 in Plug.Telemetry.call/2>],
body_params: %{“folder” => “folder”},
cookies: %{
“token” => “eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhcGkiLCJleHAiOjE2MjM2ODY0NTcsImlhdCI6MTYyMTI2NzI1NywiaXNzIjoiYXBpIiwianRpIjoiM2U5MWQyYTEtNzU4Yi00MjgwLThjZDgtYmI4NTUzOTMzNDNiIiwibmJmIjoxNjIxMjY3MjU2LCJzdWIiOiJncmVhdGlzZ3JlYXQiLCJ0eXAiOiJhY2Nlc3MifQ.VSCXvWFRna_fao3PSDHdw9hohqgUFShvnv0BnqsInA64dJLY4LmOkJ6QQSMD_nhuw4yu7BjNbTcj8Domt2Uqkw”
},
halted: false,
host: “192.168.1.13”,
method: “POST”,
owner: #PID<0.1147.0>,
params: %{“folder” => “folder”},
path_info: [“folder”],
path_params: %{},
port: 4000,
private: %{
ApiWeb.Router => {[], %{}},
:guardian_error_handler => Api.UserManager.ErrorHandler,
:guardian_module => Api.UserManager.Guardian,
:phoenix_action => :create,
:phoenix_controller => ApiWeb.FolderController,
:phoenix_endpoint => ApiWeb.Endpoint,
:phoenix_format => “json”,
:phoenix_layout => {ApiWeb.LayoutView, :app},
:phoenix_request_logger => {“request_logger”, “request_logger”},
:phoenix_router => ApiWeb.Router,
:phoenix_view => ApiWeb.FolderView,
:plug_session_fetch => #Function<1.55231287/1 in Plug.Session.fetch_session/1>
},
query_params: %{},
query_string: “”,
remote_ip: {192, 168, 1, 6},
req_cookies: %{
“token” => “eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhcGkiLCJleHAiOjE2MjM2ODY0NTcsImlhdCI6MTYyMTI2NzI1NywiaXNzIjoiYXBpIiwianRpIjoiM2U5MWQyYTEtNzU4Yi00MjgwLThjZDgtYmI4NTUzOTMzNDNiIiwibmJmIjoxNjIxMjY3MjU2LCJzdWIiOiJncmVhdGlzZ3JlYXQiLCJ0eXAiOiJhY2Nlc3MifQ.VSCXvWFRna_fao3PSDHdw9hohqgUFShvnv0BnqsInA64dJLY4LmOkJ6QQSMD_nhuw4yu7BjNbTcj8Domt2Uqkw”
},
req_headers: [
{“accept”, “application/json, text/plain, /”},
{“accept-encoding”, “gzip, deflate, br”},
{“accept-language”, “en-IN,en-GB;q=0.9,en-US;q=0.8,en;q=0.7”},
{“connection”, “close”},
{“content-length”, “15”},
{“content-type”, “application/json;charset=UTF-8”},
{“cookie”,
“token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhcGkiLCJleHAiOjE2MjM2ODY0NTcsImlhdCI6MTYyMTI2NzI1NywiaXNzIjoiYXBpIiwianRpIjoiM2U5MWQyYTEtNzU4Yi00MjgwLThjZDgtYmI4NTUzOTMzNDNiIiwibmJmIjoxNjIxMjY3MjU2LCJzdWIiOiJncmVhdGlzZ3JlYXQiLCJ0eXAiOiJhY2Nlc3MifQ.VSCXvWFRna_fao3PSDHdw9hohqgUFShvnv0BnqsInA64dJLY4LmOkJ6QQSMD_nhuw4yu7BjNbTcj8Domt2Uqkw”},
{“dnt”, “1”},
{“host”, “192.168.1.13:4000”},
{“origin”, “http://192.168.1.13:4000”},
{“referer”, “http://localhost:3000/home”},
{“sec-ch-ua”,
“” Not A;Brand";v=“99”, “Chromium”;v=“90”, “Google Chrome”;v=“90"”},
{“sec-ch-ua-mobile”, “?0”},
{“sec-fetch-dest”, “empty”},
{“sec-fetch-mode”, “cors”},
{“sec-fetch-site”, “same-origin”},
{“user-agent”,
“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36”},
{“x-forwarded-for”, “127.0.0.1”},
{“x-forwarded-host”, “localhost:3000”},
{“x-forwarded-port”, “3000”},
{“x-forwarded-proto”, “http”}
],
request_path: “/folder”,
resp_body: nil,
resp_cookies: %{},
resp_headers: [
{“cache-control”, “max-age=0, private, must-revalidate”},
{“x-request-id”, “Fn_l-w9MvNr4aakAAAXj”}
],
scheme: :http,
script_name: [],
secret_key_base: :…,
state: :unset,
status: nil
}

al2o3cr · May 17, 2021, 4:26pm

I’m not sure if this is the cause of your difficulties, but it’s possible this is causing CORS weirdness since the two hostnames don’t agree.

jhefreyzz · May 17, 2021, 4:43pm

Did you put option to VerifyCookie plug which key your cookie stored (based on the options section of the doc). In your case, should be token.

greatisgreat · May 17, 2021, 4:51pm

i tried plug Guardian.Plug.VerifyCookie, key: “token” but it did not fix it

greatisgreat · May 17, 2021, 4:52pm

i am using my phoenix server as the proxy in my react website.But i dont think it is the problem because VerifyHeader works.

greatisgreat · May 17, 2021, 5:05pm

i can get the cookie using conn.req_cookies[“token”] but is there some way i can connect it to Guardian.Plug.EnsureAuthenticated to verify the token.

derek-zhou · May 17, 2021, 7:11pm

According to:

github.com

ueberauth/guardian/blob/4512030c4e9d5967a600258d2c2e40328911104c/lib/guardian/plug.ex#L312


@spec maybe_halt(Plug.Conn.t(), Keyword.t()) :: Plug.Conn.t()
def maybe_halt(conn, opts \\ []) do
  if Keyword.get(opts, :halt, true) do
    Plug.Conn.halt(conn)
  else
    conn
  end
end


@spec find_token_from_cookies(conn :: Plug.Conn.t(), Keyword.t()) :: {:ok, String.t()} | :no_token_found
def find_token_from_cookies(conn, opts \\ []) do
  key =
    conn
    |> Pipeline.fetch_key(opts)
    |> token_key()


  token = conn.req_cookies[key] || conn.req_cookies[to_string(key)]
  if token, do: {:ok, token}, else: :no_token_found
end


defp fetch_token_key(conn, opts) do

and

github.com

ueberauth/guardian/blob/4512030c4e9d5967a600258d2c2e40328911104c/lib/guardian/plug/keys.ex#L26


def claims_key(key \\ :default), do: String.to_atom("#{base_key(key)}_claims")


@doc false
@spec resource_key() :: atom
@spec resource_key(String.t() | atom) :: atom
def resource_key(key \\ :default), do: String.to_atom("#{base_key(key)}_resource")


@doc false
@spec token_key() :: atom
@spec token_key(String.t() | atom) :: atom
def token_key(key \\ :default), do: String.to_atom("#{base_key(key)}_token")


@doc false
@spec base_key(String.t() | atom) :: atom
def base_key("guardian_" <> _ = the_key), do: String.to_atom(the_key)
def base_key(the_key), do: String.to_atom("guardian_#{the_key}")


def key_from_other(other_key) when is_binary(other_key) do
  ~r/^guardian_(?<key>.+)_(token|resource|claims)$/
  |> Regex.named_captures(other_key)
  |> extract_key()

If you want to mimic what Guardian is doing, you need put your token at the cookie key: guardian_default_token

greatisgreat · May 18, 2021, 2:40am

naming the cookie guardian_default_token using

Plug.Conn.put_resp_cookie(“guardian_default_token”,token,http_only: true)

worked
thanks

calypso · July 13, 2021, 4:35pm

Hi, I have the exact same issue. I also put the cookie with

Plug.Conn.put_resp_cookie(“guardian_default_token”,token,http_only: true)

But I cannot validate the cookie with this Auth pipeline

defmodule Api.Guardian.AuthPipeline do
use Guardian.Plug.Pipeline, otp_app: :Api,
module: Api.Guardian,
error_handler: Api.AuthErrorHandler
plug :fetch_session
plug Guardian.Plug.VerifySession, key: “guardian_default_token”
plug Guardian.Plug.VerifyCookie
plug Guardian.Plug.EnsureAuthenticated
plug Guardian.Plug.LoadResource
end

Could you possibly provide me some information about the auth pipeline you used?

Thanks