zanderxyz
Veil - Simple Passwordless Authentication for your Phoenix Apps
Veil - Simple Passwordless Authentication for your Phoenix Apps
I have just released the first version of Veil, a very simple library to add passwordless authentication to your Phoenix apps. Starting from a new project, you can have authentication working in five minutes (and most of that time is getting an API key from your email api of choice).
I have noticed a lot of people asking about the best solution for adding authentication to new projects and I think this provides that. It has far less functionality than Guardian or Coherence, but in turn is faster to set up if you don’t need all the bells and whistles that they offer.
I don’t think most websites need to use the username/password paradigm, and authenticating by email automatically verifies all of your emails on signup. You have full control over the expiry of session tokens and can easily revoke them on the server if you want.
All the schemas/controllers/plugs/templates are added directly to your Phoenix project so you can easily customise/extend them as much as you wish.
Would really appreciate any feedback!
Most Liked
ElixirCasts
If you’re curious how Veil works, I made an screencast where I use it with an existing Phoenix application: https://elixircasts.io/passwordless-authentication-with-veil
zanderxyz
Sure! Veil adds a new mix task that you run with mix veil.add. This then does the following:
- Adds schemas for Veil.User, Veil.Request, Veil.Session
- Adds User & Session controllers & views
- Adds a mailer
- Adds three Plugs
- Adds HTML templates (if your phoenix app has a templates directory)
- Amends your config file to add the Veil-specific settings
- Amends the default layout.html.eex to add a sign in link
- Amends your router to add one of the Plugs to the default pipeline, and adds two new blocks: one for Veil’s sign in/session routes, and one that only signed in users can access.
It also includes code to generate unguessable unique secure ids for requests and sessions, and this code isn’t copied to your app (since it doesn’t need modifying).
In practical terms, this gives you:
- A sign in/signup form (email address only) that sends an email to the address given
- Clicking the link in that email will sign the user into the application and set a session id in a cookie
- You can then add protected routes in the new router block that will only be accessible to logged in users
Regarding email providers, it uses Swoosh by default, which includes the following adaptors for different services: Sendgrid, Mandrill, Mailgun, Postmark, SparkPost, and SMTP.
Please let me know if you have any further questions.
zanderxyz
Good question. Honestly, if you have already set up your own authentication by email, then it probably makes sense to continue using that. This isn’t a terribly hard problem, so if you’ve already done the work it’s unlikely that you want to switch.
That said, it may have a few advantages over your solution (guessing of course):
- Secure request/session ids that can easily be invalidated server-side.
- Login requests are also stored in the database, so it is easy to see failed login attempts (although these are deleted by a task daily, it would be easy to add another task to email a list of users with multiple failed attempts to the website admin daily).
I think the main advantage comes if you are starting a new project - you can be set up in 5 minutes without needing to roll your own method.
If you have a few minutes free, maybe try creating a new project with Veil included and see if it works significantly differently. If your method is better in any way I’d love improvement suggestions!
Popular in Announcing
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








