Learn-json-web-tokens: Translate Example to Elixir
This tutorial is great for JavaScript but it would be _amaze_ to have it in Elixir from _first_ principals to _understand_ how to authenticate a request using JWT.
Todo
- [ ] Investigate which JWT signing/verification package we can use in Elixir
- [ ] Write a basic web server that requires a JWT Auth header to access a protected resource
For a basic Elixir Web Server, see: https://github.com/dwyl/hits-elixir (no phoenix! 😮) - [ ] Tests!
- [ ] write this up in a file called
elixir-example.md
@RobStallion we briefly discussed this on the call today.
Please add any other acceptance criteria you feel are relevant.
nelsonic
All 4 comments
@nelsonic I have been reviewing the code in /example to get a better understanding of how it works in order for me to recreate it in elixir.
I think I have understood the gist of what is happening for the most part.
You create a few routes in the server.js file and all the logic for these routes come from helper.js.
This is all straightforward enough to recreate in elixir (even without a phx server).
I have found a few packages/modules that are capable of creating JWTs in elixir. They are:
- jose
- joken (uses jose as a dep)
- [guardian] (uses jose as a dep. More of an auth package than just a jwt)
- yajwt (only has
jasonas a dep. Least used package mentioned and does not appear to be updated/maintained as often as the others.)
So far I have only used joken but it was fairly straightforward to create a JWT with it...
{:ok, token, _} = LearnJwt.Token.generate_and_sign(%{user_id: 1})
IO.inspect(token)
LearnJwt.Token.verify_and_validate!(token)
|> IO.inspect(label: "===> ")
logs....
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJhdWQiOiJKb2tlbiIsImV4cCI6MTU1MzYzODYyMCwiaWF0IjoxNTUzNjMxNDIwLCJpc3MiOiJKb2tlbiIsImp0aSI6IjJtN3BuMnQ2MDBmMWN1Z3ZlazAwMDA1MyIsIm5iZiI6MTU1MzYzMTQyMH0.HQ-AQjvnIO7tIJF2joB45BJj7oLEznYSKUHZdMf9qe0"
===> : %{
"aud" => "Joken",
"exp" => 1553638620,
"iat" => 1553631420,
"iss" => "Joken",
"jti" => "2m7pn2t600f1cugvek000053",
"nbf" => 1553631420,
"user_id" => 1
}
The verify_and_validate function also makes sure that the JWT has not been tampered with. If we create a JWT with the default secret and then try to decrypt it with a different secret we get an error...
config/dev.exs
config :joken,
default_signer: "secret",
testing: "test"
some_controller
{:ok, token2, _} = LearnJwt.Token.generate_and_sign(%{user_id: 1}, :testing)
LearnJwt.Token.verify_and_validate!(token2)
we get the following error...
This means that we can use these functions to create and verify our JWTs.
The part I am not entirely sure how to replicate is this, sending the JWT to the client.
I can send it to the client in the assigns argument of the render function like so...
render(conn, "index.html", jwt: token)
at which point we could store it in localStorage.
I haven't yet touched on how we will send the JWT back to the server but I assume that we can do this with js on the front end if there is not a "clean" way to do it using phoenix forms. (I have not seen one example of a phoenix application using phoenix templating to send jwt back to the server which leads me to think it is not "clean")
RobStallion
on 26 Mar 2019
@RobStallion please _consider_ using https://hexdocs.pm/plug/Plug.Conn.html put_private/3 to save the JTW as auth_token. For an implementation example see: /lib/expected/plugs.ex#L88
LMK if you have want to walk+talk through it at any point this morning. 🤙
nelsonic
on 27 Mar 2019
Have you had a read of: https://hexdocs.pm/plug/Plug.Session.COOKIE.html ? 💭
nelsonic
on 27 Mar 2019
Taking a short break from this for now. Will come back to in a couple of days
RobStallion
on 27 Mar 2019
Related issues
KumarS-Naveen
·
3Comments
NE-SmallTown
·
5Comments
nelsonic
·
5Comments
alanshaw
·
6Comments
joepie91
·
18Comments
Most helpful comment
Have you had a read of: https://hexdocs.pm/plug/Plug.Session.COOKIE.html ? 💭