Phoenix is great! I only wish there was one recommended way for authentication and authorization - there are so many [1] different libraries that I got stuck in researching the options - I am confused, do not know which one to use. What is your preferred way? I would like to avoid to implement every little detail on my own - to get security done right was the main reason for me using open source libraries.
It would be great if there was one official way to make it easier to implement app security with the framework. I feel that this is the only missing part in phoenix - but it is a very important one.
BTW: does anybody know some tool that generates a phoenix api from a json-schema? Thanks!
The beautiful thing about Phoenix framework is that there is no "one-true way" to do things. Rails is omakase, Phoenix is not, and that's a good thing.
You want the whole enchilada? Use Guardian.
Need oauth? Use ueberauth.
Just want email and password? Use comeonin to hash your password.
It's liberating to know exactly how your system works and that it's not hidden behind some magical blackbox like Devise.
A blackbox is not what I was asking for. I would be happy to find the features you described (and many more) in one (extensible) place like e.g. Phoenix.Security.
The problem with that approach is that imagine if Phoenix had a Phoenix.Security.sign_in function. How do you want to sign in?
With a cookie?
With a server-side session?
With a database session?
With an authentication token GET params?
With an authentication token in the header?
You make the choices for your specific use case and implement them using laser-focused, great packages. One system I built authenticates with an `authenticationToken` GET params, I look for that in a Plug, then assign the current_user to the conn object.
For me the sweet spot is somewhere in between. If it just shipped with a decent auth module that would work for 90% of people, but that could also be easily replaced or extended if needed, that would be the best of both worlds.
Even rails doesn't ship with an auth module though. Lots of people use Devise and there is an equivalent for Elixir (Coherence)...but shipping with auth built in is an exploit waiting to happen IMO.
has_secure_password is not an "auth module". That's simply a handy function to handle a password attribute... which an actual auth module can make use of if it desired.
I've been using Joken for that (JWT), just finished writing up some code that integrates with Auth0 and pulls in the signing certificate from the auth0 domain (.well-known/jwks.json).
If you're coming from a Rails background, you'll find Coherence[1] similar to Devise.
However, I was recently in need of implementing authentication for more than two models (Buyer, Seller) and that's where I hit a roadblock with these Devise-like libraries. Just by chance I found a really good, well designed library which I use in production as of now. The author is also the author of many other famous libraries in Phoenix-verse (Comeonin, for example). The library is called Phauxth. Check it out:
I agree with you. Most of the web apps required authentication with email + social(google, fb twitter, github). In most of the rails app people would be using Devise + omniauth and these both works seamlessly and very easy to integrate.
As of now there are no libraries available to implement above functionality easily for Phoenix framework. For me also this is one of the main reason to go ahead with Elixir + Phoenix
It would be great if there was one official way to make it easier to implement app security with the framework. I feel that this is the only missing part in phoenix - but it is a very important one.
BTW: does anybody know some tool that generates a phoenix api from a json-schema? Thanks!
[0] https://github.com/h4cc/awesome-elixir#authentication