$30 off During Our Annual Pro Sale. View Details »

Phoenix and Rails Authentication

Andrew Hao
October 06, 2016

Phoenix and Rails Authentication

How does one introduce a Phoenix Authentication API into a side project? By doing whatever it takes to learn, and doing the simple things.

Andrew Hao

October 06, 2016
Tweet

More Decks by Andrew Hao

Other Decks in Programming

Transcript

  1. Phoenix and Rails
    Authentication
    Introducing Phoenix Auth APIs to a diverse ecosystem.

    View Slide

  2. Hi! I'm Andrew.
    I work here.

    View Slide

  3. I'm a bike
    commuter
    A while ago I built a bunch of little tools to track where I was going
    on my bike.

    View Slide

  4. Sooo many
    different things
    It's kind of a mess:
    GPS track ingestion in Node and JS, Mongo
    Visualization in Ruby on Rails
    Storage in PostgreSQL
    Authentication & identity in... TBD

    View Slide

  5. What the app is

    View Slide

  6. I know, I'll use Elixir!
    Idea: What if I introduced Elixir into my project as an identity
    service?
    Responsibilities:
    Authentication
    Authorization (TBD)

    View Slide

  7. Fell in love!

    View Slide

  8. Desired
    architecture
    Introduce an identity system, which will store the list of users and
    their tokens - and manage sessions, too!

    View Slide

  9. Step 1: Phoenix app
    from scratch
    Played with Ueberauth
    Wrote a plugin: ueberauth_strava
    Wrote it inside my Elixir app, then extracted into its own hex
    package.
    Ueberauth is kind of like OmniAuth

    View Slide

  10. Demo
    See: Ueberauth code

    View Slide

  11. Step 1, done:
    At this point, the app can log you in (SSO) with Strava, and find
    (or create) a user account. It also stores a token.

    View Slide

  12. Step 2: Research
    authentication
    Ueberauth is closely aligned with Guardian, which pushes you to
    use JWT (JSON Web Tokens) as an auth and session mechanism.

    View Slide

  13. JWT, briefly.
    www.jwt.io
    JSON object that stores:
    Claims (authorizations, permissions)
    Signatures, tokens
    Expiry times
    Store it in:
    Cookie? Local Storage?

    View Slide

  14. Step 2, findings:
    Hm, that might not be for me. Why not?
    Session expirations complicated
    Complex implementation
    Overkill - this is just a side project!
    "Stop Using JWT For Sessions"

    View Slide

  15. Step 3: Rails and
    Phoenix session
    sharing!
    Rails and Phoenix share parallel implementations of the Rails
    session serialization and deserialization code. Stored in a cookie.

    View Slide

  16. Step 3: Rails and
    Phoenix session
    sharing!
    Rails and Phoenix share parallel implementations of the Rails
    session serialization and deserialization code. Stored in a cookie.
    I wrote a blog post on this: Rails, Meet Phoenix

    View Slide

  17. How to do this:
    Set up Phoenix and Rails with the same:
    SECRET_KEY
    cookie name prefix
    cookie salt (encrypted, and signing salt)
    Then add a plug library PlugRailsCookieSessionStore

    View Slide

  18. Tada!

    View Slide

  19. Finally: open a Users
    API
    Internal apps can access it to get a list of users and their tokens.
    GET /users
    Simple Bearer-Token auth, protected over SSL.

    View Slide

  20. Soooooo...

    View Slide

  21. Which brings us
    here...
    cyclecity.io

    View Slide

  22. Takeaways
    Get started with Elixir however you can.
    Just because it's shiny.. doesn't mean you have to use it!

    View Slide

  23. Thanks!
    Track your rides! cyclecity.io
    Me:
    [email protected]
    twitter.com/@andrewhao
    github.com/andrewhao

    View Slide