RephiWeb.Auth.Guardian (Rephi v0.0.2)

View Source

Guardian implementation for JWT token management with authorization support.

This module extends the basic Guardian functionality to include user roles and permissions in JWT tokens, enabling client-side authorization checks and reducing server round-trips for permission verification.

Token Claims

In addition to standard JWT claims, tokens include:

  • roles - Array of role slugs the user has assigned
  • permissions - Array of all permission slugs the user has (direct + via roles)

Example Token Claims

{
  "sub": "123",
  "exp": 1640995200,
  "roles": ["manager", "user"],
  "permissions": ["users:view", "users:create", "roles:view"]
}

Usage

# Generate token with enhanced claims
{:ok, token, claims} = Guardian.encode_and_sign(user)

# Extract user from token
{:ok, user} = Guardian.resource_from_token(token)

Summary

Functions

Builds additional claims to include roles and permissions in the JWT token.

Fetches the configuration for this module.

Returns a resolved value of the configuration found at a key.

Decodes and verifies a token using the configuration on the implementation module.

The default type of token for this module.

Exchanges a token of one type for another.

Provides the content of the token but without verification of either the claims or the signature.

Fetch the resource and claims directly from a token.

Revoke a token.

If Guardian.Plug.SlidingCookie is used, this callback will be invoked to return the new claims, or an error (which will mean the cookie will not be refreshed).

Functions

after_encode_and_sign(r, claims, token, _)

Callback implementation for Guardian.after_encode_and_sign/4.

after_sign_in(conn, r, t, c, o)

Callback implementation for Guardian.after_sign_in/5.

before_sign_out(conn, location, opts)

Callback implementation for Guardian.before_sign_out/3.

build_claims(c, resource, arg3)

Builds additional claims to include roles and permissions in the JWT token.

This function is automatically called by Guardian when generating tokens. It enriches the standard JWT claims with the user's current roles and permissions, enabling client-side authorization checks.

Parameters

  • claims - The base JWT claims map
  • resource - The user struct to generate claims for
  • _opts - Additional options (unused)

Returns

  • {:ok, enhanced_claims} - Claims map with roles and permissions added

Example

# Before: %{"sub" => "123", "exp" => 1640995200}
# After:  %{
#   "sub" => "123", 
#   "exp" => 1640995200,
#   "roles" => ["admin"],
#   "permissions" => ["users:view", "users:create", "roles:manage"]
# }

config()

@spec config() :: Keyword.t()

Fetches the configuration for this module.

config(key, default \\ nil)

@spec config(atom() | String.t(), any()) :: any()

Returns a resolved value of the configuration found at a key.

See Guardian.Config.resolve_value/1.

decode_and_verify(token, claims_to_check \\ %{}, opts \\ [])

@spec decode_and_verify(
  Guardian.Token.token(),
  Guardian.Token.claims(),
  Guardian.options()
) ::
  {:ok, Guardian.Token.claims()} | {:error, any()}

Decodes and verifies a token using the configuration on the implementation module.

See Guardian.decode_and_verify/4.

default_token_type()

@spec default_token_type() :: String.t()

The default type of token for this module.

encode_and_sign(resource, claims \\ %{}, opts \\ [])

@spec encode_and_sign(any(), Guardian.Token.claims(), Guardian.options()) ::
  {:ok, Guardian.Token.token(), Guardian.Token.claims()} | {:error, any()}

Encodes the claims.

See Guardian.encode_and_sign/4 for more information.

exchange(token, from_type, to_type, opts \\ [])

@spec exchange(
  token :: Guardian.Token.token(),
  from_type :: String.t() | [String.t(), ...],
  to_type :: String.t(),
  options :: Guardian.options()
) ::
  {:ok, {Guardian.Token.token(), Guardian.Token.claims()},
   {Guardian.Token.token(), Guardian.Token.claims()}}
  | {:error, any()}

Exchanges a token of one type for another.

See Guardian.exchange for more information.

on_exchange(old_stuff, new_stuff, options)

Callback implementation for Guardian.on_exchange/3.

on_refresh(old_stuff, new_stuff, options)

Callback implementation for Guardian.on_refresh/3.

on_revoke(claims, token, options)

Callback implementation for Guardian.on_revoke/3.

on_verify(claims, token, options)

Callback implementation for Guardian.on_verify/3.

peek(token)

@spec peek(String.t()) :: map()

Provides the content of the token but without verification of either the claims or the signature.

Claims will be present at the :claims key.

See Guardian.peek/2 for more information.

refresh(old_token, opts \\ [])

Refresh a token.

See Guardian.refresh for more information.

resource_from_claims(map)

Callback implementation for Guardian.resource_from_claims/1.

resource_from_token(token, claims_to_check \\ %{}, opts \\ [])

@spec resource_from_token(
  token :: Guardian.Token.token(),
  claims_to_check :: Guardian.Token.claims() | nil,
  opts :: Guardian.options()
) :: {:ok, Guardian.Token.resource(), Guardian.Token.claims()} | {:error, any()}

Fetch the resource and claims directly from a token.

See Guardian.resource_from_token for more information.

revoke(token, opts \\ [])

@spec revoke(Guardian.Token.token(), Guardian.options()) ::
  {:ok, Guardian.Token.claims()} | {:error, any()}

Revoke a token.

See Guardian.revoke for more information.

sliding_cookie(current_claims, current_resource, opts \\ [])

@spec sliding_cookie(
  current_claims :: Guardian.Token.claims(),
  current_resource :: Guardian.Token.resource(),
  options :: Guardian.options()
) :: {:ok, new_claims :: Guardian.Token.claims()} | {:error, any()}

If Guardian.Plug.SlidingCookie is used, this callback will be invoked to return the new claims, or an error (which will mean the cookie will not be refreshed).

subject_for_token(user, claims)

Callback implementation for Guardian.subject_for_token/2.

verify_claims(claims, options)

Callback implementation for Guardian.verify_claims/2.