What's the best way to have both session and token auth?

In the project I am planning I will be using Phoenix Auth but this is a more general question.

In most Phoenix examples I see, people either use API-token auth or HTTP sessions. In my project, I want both (it has an API and a browser web app).

I know I can pipe different things in the router scopes for API and HTML, but what do I do about modules for SessionController, which would have different logic in each case + returns different kinds of views?

Is the best approach to have two session controllers?

Thanks for any help and examples.

Personally I’d have 2 different session controllers, rather than try and mash them together.

If you need the traditionally rendered views to be able to make API requests you could send a token to the client in the layout, which your javascript can consume (see https://hexdocs.pm/phoenix/Phoenix.Token.html#module-usage for details on how it’s recommended to do it with channels)

1 Like

Thanks @theangryangel that’s what I was thinking of doing.

Believe I have done what @theangryangel suggests, but I am using guardian for JWT instead of phoenix tokens because I like the ability to encode data into the token and sign it.

I have a separate login application bundle that is delivered to all unauthenticated HTTP sessions, and where all unauthenticated sessions are redirected too. (/login)

Logging in will generate a HTTP session via cookie, and serve the main application bundle + a JWT used to authenticate a phoenix socket for duplex communication with the server. (/)

Logging out destroys the token, and session.