History of Guardian

HomePage | RecentChanges | Preferences


Revision 3 . . December 20, 2015 4:48 pm by 14.sub-70-193-126.myvzw.com
Revision 2 . . December 20, 2015 7:33 am by 198.98.94.133
Revision 1 . . December 20, 2015 7:32 am by 198.98.94.133
  

Difference (from prior major revision) (no other diffs)

Changed: 9c9,352
See Also: ComeOnIn
See Also: ComeOnIn


wsmoak [4:54 PM]
@sergiotapia: let's see how far I get, so far I've done the hashed passwords and I'm working on adding Guardian... maybe there will be a blog post. [but surely someone has done this already?]

​[4:56]
there is this one, but I think it's a bit out of date. https://github.com/hassox/phoenix_guardian/

GitHub
hassox/phoenix_guardian
phoenix_guardian - A demo application showing usage of guardian

mboudra [4:58 PM]
joined #phoenix

hassox [5:13 PM]
@wsmoak: my wip on the update to that app is at https://github.com/hassox/phoenix_guardian/tree/ueberauth-guardian?files=1

GitHub
hassox/phoenix_guardian
phoenix_guardian - A demo application showing usage of guardian

mushynaners [5:17 PM]
what do you guys think about passwordless logins?

​[5:18]
i think its 100x bettter than using passwords,

​[5:18]
and it was super easy to integrate into Guradian

​[5:18]
bow @hassox

wsmoak [5:22 PM]
@hassox: thanks! I was trying to work out whether ueberauth is a replacement for guardian or... ?

hassox [5:25 PM]
They're complimentary. Ueberauth does the first part, checking password/oauth. Once you've confirmed that with Ueberauth, guardian takes care of the per-request auth

​[5:27]
@mushynaners: :metal:

g33kidd [5:36 PM]
Is it possible to render a template from just a string and not a file?

wsmoak [5:41 PM]
@hassox: Do I still need Comeonin then? (I though it did the password checking...)

hassox [5:42 PM]
How you do your password checking is up to you. I use comeonin for the actual hashing part

wsmoak [5:43 PM]
okay. (that's as far as I've gotten, plain text password coming in from the form, hashed and into the database.)

hassox [5:43 PM]
@wsmoak: on my phone so can't link to the line but you can see it at https://github.com/hassox/phoenix_guardian/blob/ueberauth-guardian/web/auth/user_from_auth.ex

GitHub
hassox/phoenix_guardian
phoenix_guardian - A demo application showing usage of guardian

wsmoak [5:43 PM]
I just added the guardian dependency and the serializer (following the guardian docs.) I'll look at that, thanks.

hassox [5:44 PM]
Cool

rosssta [5:44 PM]
joined #phoenix

wsmoak [5:45 PM]
I need to do the next-simplest-thing-that-can-possibly-work (assuming I'm not following Programming Phoenix and writing the plug myself.) So ​*just*​ Guardian (and as little as possible) would be good. :simple_smile:

hassox [5:46 PM]
I'll be on my machine in about 15 mins. Can gist you specifics

hassox [6:11 PM]
@wsmoak: back

​[6:11]
what do you have so far? Do you have a pipeline setup with VerifySession? and Load

​[6:11]
LoadResource?"

​[6:11]
?

wsmoak [6:27 PM]
@hassox: yes, just did that... now "you can either EnsureAuthenticated? in your pipeline, or on a per-controller basis." -- and the single example appears to be "per-controller" so that's fine.

​[6:28]
but the AuthHandler? is a mystery (just going by the docs). off to look for an example.

hassox [6:28 PM]
so the VerifySession? plug just tries to locate the JWT from the session

​[6:28]
the handler is just a module that implements unauthenticated(conn, params) :: Plug.Conn.t and unauthorized(conn, params) :: Plug.Conn.t

​[6:28]
typically I’d use it like https://gist.github.com/hassox/b2a14a9003508bee7bcb#file-api_user_controller-ex

​[6:29]
the handler is used when a valid token wasn’t found

wsmoak [6:29 PM]
I think I saw that described somewhere. perhaps in one of the blog posts.

mushynaners [6:31 PM]
i love how you can just plug stuff like EnsureAuth? any where in the code, even like half way thru the controller/module

​[6:32]
makes the code so dry and clean

mushynaners [6:38 PM]
^ actually i am sure if you can do that

​[6:38]
lol

​[6:38]
i am not*

wsmoak [6:42 PM]
ooookay. I see why I'm confused. One of the examples for EnsureAuthenticated? has "MyAuthHandler?" and the other has "MyAuthErrorHandler?".(edited)

hassox [6:44 PM]
:disappointed:

​[6:44]
sorry

​[6:44]
the handlers are just modules that take the conn and params in the unauthenticated function and handle it

wsmoak [6:45 PM]
no problem. I shall fix it. :simple_smile: I had just created the former after reading one bit, and then pasted the ​*other*​ line of example code, and it was complaining.(edited)

rmangum [6:49 PM]
I just tried generating a new Phoenix 1.1 app with `mix phoenix.new some_app —no-html —no-brunch`, and the generated code doesn’t compile. The error I’m getting arises from the `use SomeApp?.Web, :view` line in `web/views/error_view.ex`. In `web/web.ex`, for views, it tries to `import SomeApp?.ErrorHelpers?` but the file `web/views/error_helpers.ex` does not get generated when the `—no-html` flag is passed to `mix phoenix.new`. Any ideas? Am I missing something? Everything compiles just fine if I leave off the `—no-html` flag.

wsmoak [6:51 PM]
@hassox: ... and you have them in the SessionController? in https://github.com/hassox/phoenix_guardian/blob/8df0b466ef37c3c3a29435e61f0a35b91affb55d/web/controllers/session_controller.ex not a separate handler?

GitHub
hassox/phoenix_guardian
phoenix_guardian - A demo application showing usage of guardian

hassox [6:52 PM]
@wsmoak: I wouldn’t look at the old one too much…

​[6:52]
that branch is what I would consider current

​[6:52]
@wsmoak: what are you trying to do?

wsmoak [6:54 PM]
learn how to use Guardian... all my example apps have a User resource and the related blog posts say "Of course in a real app you would need to restrict access to this path..." :simple_smile:

hassox [6:54 PM]
ah

wsmoak [6:55 PM]
so I want to restrict /users to 'admin' users (totally fine hardcoding a userid or whatever at first). then I'd like to show showing each user only ​*their*​ stuff, on the web pages and also the api. From the docs and your blog posts... I'm pretty sure it's in there. I just have to get it out. :simple_smile:

chrismccord [6:56 PM]
@rmangum: fixed on master. `--no-html` incorrectly excluded the ErrorHelpers? module

​[6:56]
I will push a new release 1.1.1 tonight with the fix

hassox [6:56 PM]
@wsmoak is your app private or can you gist parts of it?

chrismccord [6:57 PM]
in the meantime you can manually add the module by following the ErrorHelpers? example in the upgrade guides (linked in the changelog), or you can remove the `import MyApp?.ErrorHelpers?` from web.ex

wsmoak [6:57 PM]
@hassox: what do I ever do that is private :simple_smile: it's not very far along... https://github.com/wsmoak/secret_keeper

GitHub
wsmoak/secret_keeper
secret_keeper - Example project using Elixir Phoenix and Guardian

rmangum [6:58 PM]
@chrismccord: Thanks! Will do.

wsmoak [6:58 PM]
I am just adding the EnsureAuthenticated? bit to the user controller and adding the handler... except I noticed that your error handler methods are ​*in*​ the controller, so maybe not.

wsmoak [6:58 PM]
...(edited)

terakilobyte [7:16 PM]
@hassox: you should think about doing a screencast series on guardian perhaps, given the interest (I plan on using it shortly!)

​[7:16]
I make that recommendation very selfishly

hassox [7:17 PM]
@terakilobyte: I’m trying to get an example app up atm as a stop gap measure

​[7:17]
@terakilobyte: I’m happy to answer any q’s you have

hassox [7:17 PM]
isn’t very good at docs :disappointed:

wsmoak [7:18 PM]
so @hassox do I want a separate AuthErrorHandler? like in the docs, or just put those two methods in the controller?

​[7:19]
or leave you alone and let you finish the example app? :smile:

hassox [7:21 PM]
@wsmoak: nah don’t wait…

wsmoak [7:22 PM]
oh... that's the ​*Session*​ Controller, not one of the page or resource controllers.

hassox [7:22 PM]
@wsmoak: the choice on where to put the handler is totally up to you

​[7:22]
I think I’d put it in a different module once I got more actions

​[7:22]
Ok so looking at your user controller… did you want to login the user when they are created?

​[7:24]
wondering where you’re wanting to start, blocking access or granting it

wsmoak [7:24 PM]
no, adding users is going to be an admin function at first... let's just say the "first" user is the admin, that's the only one that can get to that page.

hassox [7:24 PM]
kk

wsmoak [7:24 PM]
and then other users will need to supply their password to add/edit/delete their "secrets" (just a line of text)

hassox [7:25 PM]
So this will make sure that people are logged in but you may not want to restrict it to specific actions https://gist.github.com/hassox/55c9f835d67950d85109#file-user_controllrer-ex-L14

​[7:26]
This is how I imagine you’d add admin permissions

​[7:26]
https://gist.github.com/hassox/55c9f835d67950d85109#file-user_controllrer-ex-L15

​[7:27]
does that make sense?

wsmoak [7:27 PM]
was just going to ask about EnsurePermissions? ... "confirms that all listed permissions are present in the token." ... listed where?

hassox [7:28 PM]
when you create a JWT, you can specify permissions to encode in them...

​[7:28]
so, if you Guardian config had something like:

​[7:28]
permissions: %{ default: [:admin]} <— The list of available permissions

​[7:29]
when you sign in you’d generate your token with those permissions like:

wsmoak [7:29 PM]
oh I found it. further down the page. https://github.com/ueberauth/guardian#permissions

GitHub
ueberauth/guardian
guardian - Elixir Authentication

hassox [7:30 PM]
Guardian.Plug.sign_in(conn, user, :token, perms: %{ default: [:admin] })

​[7:30]
so permissions are one way to do it… alternatively you could use a different token type, or store the admin in a different - “admin” location in the session

​[7:31]
the last one would require an admin login action

wsmoak [7:32 PM]
what's the simplest thing that can possibly work / simplest to explain ?

hassox [7:32 PM]
can more than just the admin login?

​[7:32]
i.e. you have normal users and admin users or just an admin user

wsmoak [7:32 PM]
anything with "users" is going to need that two-level admin and regular users bit.

​[7:33]
oh, right... just the admin user is an option -- this is what stopped my fitbit app. As soon as people would sign up and authenticate with FitBit, now I've got a list of users I can't protect.

hassox [7:34 PM]
ok so if your session controller for the moment is ​_just_​ for the admin

​[7:34]
then I’d put the admin in a different location

​[7:35]
by that I mean a session location where you’re the admin

​[7:36]
this is why my docs suck so much :disappointed:

wsmoak [7:38 PM]
lol... they ​*exist*​, this is a start!

​[7:39]
it's mostly the missing forward references, like "listed permissions" that haven't been covered yet and I didn't know what that was. I'll add some links.

hassox [7:43 PM]
@wsmoak: a session controller might look something like this (using permissions)

​[7:43]
https://gist.github.com/hassox/1f8dabbc745011c17da5

​[7:43]
The only important line for Guardian is 25

​[7:43]
other than that it’s just finding the user and checking passwords and stuff.. Line 25 is the important part.

​[7:44]
Guardian.Plug.sign_in on that line 1. Generates the token for the user of type “token” with the admin bit flipped on.

​[7:44]
2. Adds the jwt to the session where VerifySession? will find it

​[7:44]
actually it flips all the bits

wsmoak [7:47 PM]
thanks. I think I have all the parts... will see if I can fit them together.

HomePage | RecentChanges | Preferences
Search: