Stickersss

Stickersss

WebSocket JWT Socket Authentication via Guardian and Phoenix

Long story short, I have a JavaScript frontend client and two backends: one in Python (for login/signup) and one in Phoenix (used only for websockets).

My Python backend sets an HTTP-only JWT token and successfully handles login and signup when users interact with the JavaScript frontend client.

Once a user has logged in, they should be able to connect to the Phoenix backend’s channels with the cookies previously set. I’ve managed to make Phoenix + Guardian work for JWT HTTP secure authentication, but I’m facing difficulties with websockets. As far as I know, sending an HTTP-only cookie to the Phoenix backend for websockets is not possible due to security reasons (browsers allow cross-origin connections that bypass CORS).

So, how can I authenticate my users from the frontend who have already logged in (with jwt token cookie http only set to true) and need to connect to Phoenix websocket channels?

Here are the solutions I’ve been considering:

  1. On the Python backend, when a user logs in or signs up, I set another cookie with an encrypted JWT and make it HTTP-only false. Then, I can access this token on the frontend’s socket connection to the Phoenix backend and verify & decode it.
  2. Create a REST API in the Python backend for the encrypted JWT, which I can use for websocket connections to the Phoenix backend for verification.

P.S: Still, I’m hesitant about encrypting the JWT and storing it in cookies with HTTP-only set to false. This approach leaves room for XSS vulnerabilities since the token can be accessed directly from document.cookies and potentially stolen for connecting to the Phoenix websocket backend as a victim

Marked As Solved

codeanpeace

codeanpeace

Welcome!

At this step/plug, couldn’t you set an additional Phoenix user token that plays nicely with websockets/Channels? It sounds like you’ve figured out JWT HTTP authentication with Phoenix so why not make an async HTTP call to your Phoenix backend that sets a Phoenix auth token which can then be used when connecting via websockets.

reference: Using Token Authentication | Phoenix Channels

Also Liked

Stickersss

Stickersss

Thanks a lot! I used exactly that approach and it seems to work well!

P.S: I had to document the authentication part for a documentation. If anyone in the future ends up in this thread, I’ve created an image showing different approaches

Where Next?

Popular in Questions Top

chokchit
** (DBConnection.ConnectionError) connection not available and request was dropped from queue after 2733ms. You can configure how long re...
New
qwerescape
Is there a way to get the call stack or stack trace at any point in the code? Not from exceptions, but an expression that returns how the...
New
earth10
Hi, I’m just starting to build a side-project with Elixir and Phoenix and doing some basic test with Elixir alone. What strikes me is th...
New
ycv005
I have followed this StackOverflow post to install the specific version of Erlang. And When I am running mix ecto.setup then getting fol...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
srinivasu
How to handle excepions in elixir? Suppose i have A, B, C ,D, E modules. and each module has get() function. A.get() method will call t...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New

Other popular topics Top

9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New

Latest on Elixir Forum

We're in Beta

About us Mission Statement