Phoenix - Authentication
01 Aug 2017API
manual implementation
- https://m.alphasights.com/simple-web-servers-with-plug-and-cowboy-34f7a174f252
- http://learningwithjb.com/posts/authenticating-users-using-a-token-with-phoenix
using Phoenix.Token
- https://hexdocs.pm/phoenix/Phoenix.Token.html
- https://elixirforum.com/t/how-is-phoenix-token-different-from-jwt/2349/4
- https://dennisreimann.de/articles/phoenix-passwordless-authentication-magic-link.html
using Guardian and JWT
- https://github.com/ueberauth/guardian
- http://blog.overstuffedgorilla.com/simple-guardian-api-authentication/
signing out
https://elixirforum.com/t/guardian-jwt-vs-phoenix-token/853/29:
The first question is whether you need to revoke the jwt at all - in many cases, it might be enough to just let it expire. With many apis, there isn’t really a logout functionality - the user will just access the resources he / she needs and then stop using it. If you do want to revoke jwts, I know that many developers use Redis for this, and that might be quicker than a db lookup.
that is you need external storage to revoke JWT token before it expires -
say, Guardian DB
package allows to track tokens in database when using
Guardian
.
https://github.com/ueberauth/guardian_db#disadvantages:
With Guardian.DB, every request requires a trip to the database, as Guardian now needs to ensure that a record of the token exists. This can arguably eliminate the main advantage of using a JWT authentication solution, which is statelessness.
when using JWT token for browser sessions, just flush the session.