MagicAuth.Session (magic_auth v0.2.0)

Ecto schema representing user sessions.

This module defines the data structure for user sessions, including the user's email and the session token. It also provides functions to generate session tokens and verify them.

Summary

Functions

Generates a token that will be stored in a signed place, such as session or cookie. As they are signed, those tokens do not need to be hashed.

Checks if the token is valid and returns its underlying lookup query.

Functions

build_session(attrs)

Generates a token that will be stored in a signed place, such as session or cookie. As they are signed, those tokens do not need to be hashed.

The reason why we store session tokens in the database, even though Phoenix already provides a session cookie, is because Phoenix' default session cookies are not persisted, they are simply signed and potentially encrypted. This means they are valid indefinitely, unless you change the signing/encryption salt.

Therefore, storing them allows individual user sessions to be expired. The token system can also be extended to store additional data, such as the device used for logging in. You could then use this information to display all valid sessions and devices in the UI and allow users to explicitly expire any session they deem invalid.

verify_session_token_query(token, session_validity_in_days)

Checks if the token is valid and returns its underlying lookup query.

The query returns the user found by the token, if any.

The token is valid if it matches the value in the database and it has not expired (after @session_validity_in_days).