Validate cookie in guardian

Is there a way to validate the cookie instead of validating authorization header in guardian?


Sure, what have you tried so far?

I send the cookie from the server using
|> Plug.Conn.put_resp_cookie(“token”,token,http_only: true)
|> Plug.Conn.send_resp(:no_content,"")

but i get : unauthenticated from Guardian.Plug.EnsureAuthenticated

Is there anything i am missing?


Have you tried adding Guardian.Plug.VerifyCookie to your router.ex pipeline?

I’m not sure about this one, but as I’ve understood, that plug fetches token from cookie (correct me if I’m wrong).

If you have a separate server for frontend, please ensure that you’re adding credentials: 'include' (fetch api) or withCredentials: true (axios).

Guardian.Plug.VerifyCookie doesnt seem to be working.I get nil trying to get the token using

This is the conn

adapter: {Plug.Cowboy.Conn, :…},
assigns: %{},
before_send: [#Function<0.93523768/1 in>],
body_params: %{“folder” => “folder”},
cookies: %{
“token” => “eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhcGkiLCJleHAiOjE2MjM2ODY0NTcsImlhdCI6MTYyMTI2NzI1NywiaXNzIjoiYXBpIiwianRpIjoiM2U5MWQyYTEtNzU4Yi00MjgwLThjZDgtYmI4NTUzOTMzNDNiIiwibmJmIjoxNjIxMjY3MjU2LCJzdWIiOiJncmVhdGlzZ3JlYXQiLCJ0eXAiOiJhY2Nlc3MifQ.VSCXvWFRna_fao3PSDHdw9hohqgUFShvnv0BnqsInA64dJLY4LmOkJ6QQSMD_nhuw4yu7BjNbTcj8Domt2Uqkw”
halted: false,
host: “”,
method: “POST”,
owner: #PID<0.1147.0>,
params: %{“folder” => “folder”},
path_info: [“folder”],
path_params: %{},
port: 4000,
private: %{
ApiWeb.Router => {[], %{}},
:guardian_error_handler => Api.UserManager.ErrorHandler,
:guardian_module => Api.UserManager.Guardian,
:phoenix_action => :create,
:phoenix_controller => ApiWeb.FolderController,
:phoenix_endpoint => ApiWeb.Endpoint,
:phoenix_format => “json”,
:phoenix_layout => {ApiWeb.LayoutView, :app},
:phoenix_request_logger => {“request_logger”, “request_logger”},
:phoenix_router => ApiWeb.Router,
:phoenix_view => ApiWeb.FolderView,
:plug_session_fetch => #Function<1.55231287/1 in Plug.Session.fetch_session/1>
query_params: %{},
query_string: “”,
remote_ip: {192, 168, 1, 6},
req_cookies: %{
“token” => “eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhcGkiLCJleHAiOjE2MjM2ODY0NTcsImlhdCI6MTYyMTI2NzI1NywiaXNzIjoiYXBpIiwianRpIjoiM2U5MWQyYTEtNzU4Yi00MjgwLThjZDgtYmI4NTUzOTMzNDNiIiwibmJmIjoxNjIxMjY3MjU2LCJzdWIiOiJncmVhdGlzZ3JlYXQiLCJ0eXAiOiJhY2Nlc3MifQ.VSCXvWFRna_fao3PSDHdw9hohqgUFShvnv0BnqsInA64dJLY4LmOkJ6QQSMD_nhuw4yu7BjNbTcj8Domt2Uqkw”
req_headers: [
{“accept”, “application/json, text/plain, /”},
{“accept-encoding”, “gzip, deflate, br”},
{“accept-language”, “en-IN,en-GB;q=0.9,en-US;q=0.8,en;q=0.7”},
{“connection”, “close”},
{“content-length”, “15”},
{“content-type”, “application/json;charset=UTF-8”},
{“dnt”, “1”},
{“host”, “”},
{“origin”, “”},
{“referer”, “http://localhost:3000/home”},
“” Not A;Brand";v=“99”, “Chromium”;v=“90”, “Google Chrome”;v=“90"”},
{“sec-ch-ua-mobile”, “?0”},
{“sec-fetch-dest”, “empty”},
{“sec-fetch-mode”, “cors”},
{“sec-fetch-site”, “same-origin”},
“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36”},
{“x-forwarded-for”, “”},
{“x-forwarded-host”, “localhost:3000”},
{“x-forwarded-port”, “3000”},
{“x-forwarded-proto”, “http”}
request_path: “/folder”,
resp_body: nil,
resp_cookies: %{},
resp_headers: [
{“cache-control”, “max-age=0, private, must-revalidate”},
{“x-request-id”, “Fn_l-w9MvNr4aakAAAXj”}
scheme: :http,
script_name: [],
secret_key_base: :…,
state: :unset,
status: nil

I’m not sure if this is the cause of your difficulties, but it’s possible this is causing CORS weirdness since the two hostnames don’t agree. :thinking:

Did you put option to VerifyCookie plug which key your cookie stored (based on the options section of the doc). In your case, should be token.

i tried plug Guardian.Plug.VerifyCookie, key: “token” but it did not fix it

i am using my phoenix server as the proxy in my react website.But i dont think it is the problem because VerifyHeader works.

i can get the cookie using conn.req_cookies[“token”] but is there some way i can connect it to Guardian.Plug.EnsureAuthenticated to verify the token.

According to:


If you want to mimic what Guardian is doing, you need put your token at the cookie key: guardian_default_token

naming the cookie guardian_default_token using

Plug.Conn.put_resp_cookie(“guardian_default_token”,token,http_only: true)