YipyipExAuth.Plugs.ProcessAccessToken (YipyipExAuth v0.3.1) View Source
Plug to process and verify access tokens. Must be initialized with a YipyipExAuth.Config
-struct, which can be initialized itself using YipyipExAuth.Config.from_enum/1
.
The plug does not reject unauthenticated requests by itself. If a request is successfully verified, the user ID, session ID and extra payload are assigned to the conn. If not, an authentication error message is put in the conn's private map, which can be retrieved using YipyipExAuth.Utils.get_auth_error/1
. This allows applications to implement their own plug to reject unauthenticated requests, for example:
Usage example that rejects unauthenticated requests
defmodule MyPhoenixAppWeb.Router do
use MyPhoenixAppWeb, :router
@config YipyipExAuth.Config.from_enum(
session_ttl: 68400,
refresh_token_ttl: 3600,
session_store_module: MyModule
)
pipeline :valid_access_token do
plug YipyipExAuth.Plugs.ProcessAccessToken, @config
plug :only_authenticated
end
@doc """
Reject unauthenticated requests
"""
def only_authenticated(%{assigns: %{current_user_id: _}} = conn, _opts), do: conn
def only_authenticated(conn, _opts) do
auth_error = YipyipExAuth.Utils.get_auth_error(conn)
conn |> Plug.Conn.send_resp(401, auth_error) |> halt()
end
end
In this way, applications can completely customize how to respond to unauthenticated requests and how much information to expose to the client.
Examples / doctests
alias Plug.Conn
alias YipyipExAuth.Plugs.ProcessAccessToken
alias YipyipExAuth.Utils
import YipyipExAuth.TestHelpers
# only available when Mix env = test
alias YipyipExAuth.TestSupport.FakeSessionStore
import YipyipExAuth.TestSupport.Shared
@config YipyipExAuth.Config.from_enum(
session_ttl: 68400,
refresh_token_ttl: 3600,
session_store_module: FakeSessionStore
)
@plug_opts ProcessAccessToken.init(@config)
# "reject" requests without bearer token
iex> conn = %Conn{} |> ProcessAccessToken.call(@plug_opts)
iex> "bearer token not found" = Utils.get_auth_error(conn)
iex> conn.assigns
%{}
# "reject" requests with invalid token
iex> config = %{@config | access_token_salt: "different"}
iex> conn = build_conn() |> put_access_token(config) |> ProcessAccessToken.call(@plug_opts)
iex> "bearer token invalid" = Utils.get_auth_error(conn)
iex> conn.assigns
%{}
# "reject" requests with expired bearer token
iex> plug_opts = ProcessAccessToken.init(%{@config | access_token_ttl: -1})
iex> conn = build_conn() |> put_access_token(@config) |> ProcessAccessToken.call(plug_opts)
iex> "bearer token expired" = Utils.get_auth_error(conn)
iex> conn.assigns
%{}
# "reject" requests where the signature transport mechanism does not match the session's initial value
iex> token = generate_access_token(build_conn(), @config, %{tst: :cookie})
iex> conn = build_conn() |> put_access_token(@config, token) |> ProcessAccessToken.call(@plug_opts)
iex> "token signature transport invalid" = Utils.get_auth_error(conn)
iex> conn.assigns
%{}
# "reject" requests with an expired session
iex> token = generate_access_token(build_conn(), @config, %{exp: 1})
iex> conn = build_conn() |> put_access_token(@config, token) |> ProcessAccessToken.call(@plug_opts)
iex> "session expired" = Utils.get_auth_error(conn)
iex> conn.assigns
%{}
# "allow" requests with valid bearer token
iex> conn = build_conn() |> put_access_token(@config) |> ProcessAccessToken.call(@plug_opts)
iex> nil = Utils.get_auth_error(conn)
iex> conn.assigns
%{current_session_id: "a", current_user_id: 1, extra_access_token_payload: %{}}
# "allow" requests with valid bearer token with signature in cookie
iex> token = generate_access_token(build_conn(), @config, %{tst: :cookie})
iex> [header, encoded_payload, signature] = String.split(token, ".", parts: 3)
iex> conn = build_conn()
...> |> put_access_token(@config, header <> "." <> encoded_payload)
...> |> Plug.Test.put_req_cookie(@config.access_cookie_name, "." <> signature)
...> |> ProcessAccessToken.call(@plug_opts)
iex> nil = Utils.get_auth_error(conn)
iex> conn.assigns
%{current_session_id: "a", current_user_id: 1, extra_access_token_payload: %{}}