Currently working on getting some base HTML views up, inspired by those packaged in Devise. This is a feature set requested from a number of people, and makes sense for the large Phoenix ecosystem.

Need to add a lockout feature after a configurable number of attempts to login to a user account.

Reference: http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Lockable

I'd love to contribute to this project. Is it still in active development?

How do I proceed so that a registration already starts confirmed and the user logged in?

I ended up creating everything with the --confirmation option, but I do not need it any more.

Hi! I'm trying to use sentinel library. I've configured application using your configuration guide and sentinel_example project, but I'm getting errors when visiting paths like /login, /user/create and others provided by sentinel. Error looks this way: (UndefinedFunctionError) function :app.render/2 is undefined (module :app is not available). I will be very grateful for every suggestion.

Hi,

I want to add extra field during the signup like username, and I don't know how to handle this.

I tried creating my own controller and calling Sentinel function, and also trying to replace the :callback attribute in the view by my own function without success.

The "/user/new" work great, but I want to use sentinel on my own "/signup" with username/email/password field.

I would like to know how I could achieve that.

Thanks

When applying the routes as per the README:

defmodule` MyApp.Router do
  use MyApp.Web, :router
  require Sentinel
 

 pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_flash
    plug :protect_from_forgery
    plug :put_secure_browser_headers
   
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  scope "/" do
    pipe_through :ueberauth
    Sentinel.mount_ueberauth
  end

  scope "/" do
    pipe_through :browser
    Sentinel.mount_html
  end

  scope "/api", as: :api do
    pipe_through :api
    Sentinel.mount_api
  end

end

== Compilation error on file web/router.ex ==
** (CompileError) web/router.ex:1: undefined function ueberauth/2
    (stdlib) lists.erl:1338: :lists.foreach/2
    (stdlib) erl_eval.erl:670: :erl_eval.do_apply/6
    (elixir) lib/kernel/parallel_compiler.ex:117: anonymous fn/4 in Kernel.ParallelCompiler.spawn_compilers/1

As per the instructions ueberauth is set as an application.

When commenting out:

#scope "/" do
  #  pipe_through :ueberauth
  #  Sentinel.mount_ueberauth
  #end

The compiling error goes away.

Testing with:

defmodule MyApp.Router do
  use MyApp.Web, :router
  require Sentinel
 

 pipeline :browser do
    plug Ueberauth
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_flash
    plug :protect_from_forgery
    plug :put_secure_browser_headers
   
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  #scope "/" do
  #  pipe_through :ueberauth
  #  Sentinel.mount_ueberauth
  #end

  scope "/" do
    pipe_through :browser
    Sentinel.mount_html
    Sentinel.mount_ueberauth
  end

  scope "/api", as: :api do
    pipe_through :api
    Sentinel.mount_api
  end

end

When running mix sentinel.install mix shows the following error:

• (File.Error) could not stream "deps/sentinel/test/support/migrations/guardian_db_migration.exs": no such file or directory
  (elixir) lib/file/stream.ex:78: anonymous fn/2 in Enumerable.File.Stream.reduce/3
  (elixir) lib/stream.ex:1240: anonymous fn/5 in Stream.resource/3
  (elixir) lib/enum.ex:1767: Enum.map/2
  lib/mix/tasks/install.ex:111: Mix.Tasks.Sentinel.Install.generate_token_migration/0
  lib/mix/tasks/install.ex:28: Mix.Tasks.Sentinel.Install.create_migrations/0
  lib/mix/tasks/install.ex:11: Mix.Tasks.Sentinel.Install.run/1
  (mix) lib/mix/task.ex:294: Mix.Task.run_task/3
  (mix) lib/mix/cli.ex:58: Mix.CLI.run_task/2
  (elixir) lib/code.ex:370: Code.require_file/2

When using github as the package source in mix deps it works fine.

Need to add a tracking feature set to sentinel, allowing configuration to track when users were last active and from what IP.

This could be done fairly easily through a guardian hook.

Reference: http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Trackable

Crashes looking for the deps folder when I do mix sentinel.install

Both the Users and the Sessions controllers have been recently introduced, but have been frustratingly buggy to work with. Small errors like mismatched parameters, lost error messages, wrong redirects, etc.

I think specially since this part is supposed to be integrated with an external application and some customizeable parts (eg. views) they need more robust tests.

Providing a default that Just Works is very important

Not sure if you want integration tests or more specialized ones, but either way all the boundaries need to be tested. With that it'll be easier to document how you can extend and customize Sentinel too.

Edit: wording

Thank you for all this!

It would be great to have an example Sentinel 2.0 app.

Kind regards,

Angel

While I appreciate the "everything but the kitchen sink" approach of this library, I think the inner workings are a bit too opaque.

I think being able to generate one's own controllers and views during installation would go a long way towards customizability.

For example, new user creation via a JSON api seems to be handled through JSON.UserController, but it follows invitation logic where the user provides their email first, confirms it, then creates their password.

What if I want to have the user provide their email AND password during the first step? Currently there isn't a way to do that (unless I missed something - documentation and examples assume too much prior knowledge of Guardian and UeberAuth).

The second of these two functions doesn't seem like it would ever run:

https://github.com/britton-jb/sentinel/blob/master/lib/sentinel/ueberauthenticator.ex#L29-L45

On the back burner until I wrap up the HTML views, but I'd like to add ueberauth functionality out of the box as well.

Hi, I tried using Github to authenticate in an app I'm building and I failed so I tried the sentinel_example you made and it also failed.

The with statement in Sentinel.Controllers.Html.AuthController.new_user() has no else clause. This leads to the following exceedingly cryptic error message if AfterRegistrator.confirmable_and_invitable() or RegistratorHelper.callback() fails to return {:ok, user}.

expected action/2 to return a Plug.Conn, all plugs must receive a connection (conn) and return a connection

Has there been any thought on accommodating custom redirect paths? I really like how coherence handles these (https://github.com/smpallen99/coherence#customizing-redirections) but they could just as easily be added as a configuration with something like this, too:

config :sentinel,
  redirects: %{
    auth_callback: {:controller, :action},
    password_create: {:controller, :action}
  }

Im getting this error when I tried upgrading Sentinel from 1 to 2.

== Compilation error on file lib/sentinel/web/controllers/auth_controller.ex ==
** (FunctionClauseError) no function clause matching in Keyword.merge/2
    (elixir) lib/keyword.ex:579: Keyword.merge(nil, [])
    lib/ueberauth.ex:175: Ueberauth.init/1
    (plug) lib/plug/builder.ex:193: Plug.Builder.init_module_plug/3
    (plug) lib/plug/builder.ex:181: anonymous fn/4 in Plug.Builder.compile/3
    (elixir) lib/enum.ex:1755: Enum."-reduce/3-lists^foldl/2-0-"/3
    (plug) lib/plug/builder.ex:181: Plug.Builder.compile/3
    (phoenix) expanding macro: Phoenix.Controller.Pipeline.__before_compile__/1
    lib/sentinel/web/controllers/auth_controller.ex:1: Sentinel.Controllers.AuthController (module)
    (elixir) lib/kernel/parallel_compiler.ex:117: anonymous fn/4 in Kernel.ParallelCompiler.spawn_compilers/1

I tried to narrow down where the error was being caused and had trouble making any in-roads.

Hi there!

More of a question than an issue, but exhausted my google searches trying to find a solution and you may know this already.

I provide a Phoenix.View object on Sentinel's configuration. It works finding the template, but I could not find a way to add my application layout to it.
Since normally the controller adds the layout, and the controller is on Sentinel, not my application, the only place I could add it is in the view.

My idea was to match the render method, add the layout and call upstream's render. Problem is, the layout key is not in the map.

def render("new.html", assigns), do: # add layout and call render again.

If I use the above, it's going to loop. My initial idea was to pattern match when the key is NOT there, but either I'm bad at google or there isn't a way to do that.

The second option, to render the template myself, also doesn't work since the render method is the last one in the public API of phoenix's view.

My last instinct was to just "override" the controller method. That would mean I'd need to have the Sentinel controller as a behavior that I could override the methods myself. Using that I'm guessing the layout will already be set by use App.Web, :controller. But this is coming from someone with OO centric views, so this may be horrible or not even possible.

Would appreciate to hear any of your thoughts on this

Thanks!

Document example API authentication, and authenticated request after authentication for those not familiar with the way Guardian works.

Good day,

I'm trying Sentinel out (works great!). Anyway, what's the best way to created logged in users when doing controller tests, feature tests?

This is a design suggestion.

When you store everything in one table it will work, but its not extendable for further scenarios.
I would suggest to create a separate auth table and a separate user table.

Pros:

1. An user is able to use multiple auth strategies. like facebook / google / email / others..
2. The user model does not depend on a authentication strategy
3. Clean separation, cleaner models

I'd like to add a mix task that does all of the basic configuration and setup of sentinel from a fresh phoenix app.

Need to update to use Ecto 2

Hi

I've been working on getting a release together for Guardian v1. This release is
significantly different (in a good way!).

The big difference in V1 is the use of an implementation module, allowing for
multiple configurations per project.

Guardian V1 allows for:

• Supporting token types other than JWT
• Supporting multiple configurations in a single project
• Pipelining of Guardian plugs
• Extracting phoenix helpers into a different project
• Better hooking Support
• Moves the serializer into the implementation module

To get started with V1 developers need to create a 'token module'.

  defmodule MyApp.AuthTokens do
    use Guardian, otp_app: :my_app

    def subject_for_token(resource, _claims), do: to_string(resource.id)
    def resource_from_claims(claims) do
      find_me_a_resource(claims["sub"])
    end
  end

Once you have your implementation module (a bare bones one is above) you can use that directly:

MyApp.AuthTokens.encode_and_sign(resource, claims, opts)
MyApp.AuthTokens.decode_and_verify(token, claims_to_check, opts)

Or, for library authors such as yourself

Guardian.encode_and_sign(MyApp.AuthTokens, resource, claims, opts)
Guardian.decode_and_verify(MyApp.AuthTokens, token, claims_to_check, opts)

We've also disambiguated setting token type, ttl and the key from the claims. These are now set via the options.

Guardian.encode_and_sign(MyApp.AuthTokens, resource, claims, token_type: "access", key: :secret, ttl: {1, :week})

Secrets and configuration values also got an overhaul. Any value can be of the form:

• {:system, "KEY"}
• {mod, :func}
• {mod, :func, [args]}
• fn -> some_value end
• or a literal value

These configuration options can be set either in the configuration or in the implementation module as options to use Guardian

Pipelines

All plugs require being set as part of a pipeline. Pipelines put the implementation module and error handler on the conn.

You can set these directly with Guardian.Pipeline or create a pipeline module

plug Guardian.Pipeline, module: MyApp.AuthTokens, error_handler: MyApp.AuthErrorHandler

OR

  defmodule MyApp.AuthPipeline do
    use Guardian.Plug.Pipeline, otp_app: :my_app,
                                module: MyApp.Tokens,
                                error_handler: MyApp.AuthErrorHandler

    alias Guardian.Plug.{
      EnsureAuthenticated,
      LoadResource,
      VerifySession,
      VerifyHeader,
    }

    plug VerifySession, claims: @claims
    plug VerifyHeader, claims: @claims, realm: "Bearer"
    plug EnsureAuthenticated
    plug LoadResource, ensure: true
  end

With usage

plug MyApp.AuthPipeline

I expect that this will be a pre-release within about a week.
I'd love to get feedback on it before it goes full version 1.

Currently testing HTML and JSON for the 2.0.0rc, available here as the v2 branch.

Fixed issue with improper session verification using Guardian plugs in most recent commit. Working through ensuring there are no other issues.

Given the way it looks to be performing we should have a 2.0.0 official release by next Monday.

Maybe I missed something important, but the instructions and source code seem to indicate the mix task sentinel.gen.views should exist. I get the following error when I try to use it.

** (Mix) The task "sentinel.gen.views" could not be found

The task does not exist in deps/sentinel/lib/mix/tasks/.

Break registerable out into it's own module that can be switched on and off. Some users may not want users to be able to register for their application on their own.

This should just be a config option that then removes the new user page in the router mount macro.

Hi guys,
I'm working in generators for guardian(https://github.com/victorlcampos/gen_guardian) and I think we can work together to make the amazing guardian lib, better.

Currently the identity provider will work as intended on the JSON, but the Ueberauth provider flow has a few sticking points, related to this discussion.

In my testing I'm able to properly implement the OAuth flow, and redirect the user back to the single page application, the current intended use case, but then getting a guardian token down to the client securely is proving problematic. Currently it looks like the best way to handle this would either by using the session, or by appending it the URL, the latter seeming like a very bad idea, and the former seeming a bit difficult for the API user.

Currently due to constraints in Ueberauth (referenced in the above discussion) this also will not handle a mobile app authenticating using for example Google and attempting to pass the token back to the server. It looks like the better way to handle this use case may be to use another OAuth library in tandem to authenticate using a token gathered by the client OAuth flow to generate a Guardian token.

Currently open to advice and suggestions, as I feel I may be missing something obvious here.

Hi!
I'm reviewing this for a project. I wonder if you already have an example app done.

Maybe I could help with that. I don't know if this is what I need yet, or whether will work with what I have already done. It's a Phoenix app with React.js front-end.

Currently, there are features here that I don't need and it's missing what I need: #9 Lockable.

I have not looked into how this was done in Devise, but I guess you need failed_attempts and locked_at fields

https://github.com/katgironpe/rails_api_template/blob/master/db/schema.rb

Guardian.Plug.sign_in(user) calls appear in a number of places in few files. As of now, there does not appear to be a way to add permissions or otherwise customize generated tokens.

Maybe a solution would be factoring these calls out into something like a TokenMint module?

defmodule TokenMint do
  def sign_in(conn, user), do: Guardian.Plug.sign_in(conn, user)
end

A configuration option could be used to replace this with a user supplied module/function/plug that takes the user and uses it to mint a customized token. Would this be a reasonable way of issuing customized tokens in Sentinel?

Need to document the details of the mix install steps to handle the use case where a user model already exists.

Allow Sentinel to work with multiple model types, for example a regular user, and an admin user.

Probably not going to get to this until after Ueberauth integration, which will be V2.

New to phoenix, trying this out. I see in the README that you are upgrading, so perhaps this bug report is useless, but following along with the README to integrate sentinel with a test phoenix app I have I hit the following warning:

mix phoenix.gen.model is deprecated. Use phx.gen.schema instead.

Looking through the code, it seems this is still in the master branch at https://github.com/britton-jb/sentinel/blob/master/lib/mix/tasks/install.ex#L52.

I'd offer to help out with that, but I'm new to elixir/phoenix and probably would be more noise than signal. (I don't even know how to install the local cloned version of this app in favor of the one from hex.pm, for example)

Trying to use sentinel for invitations, I've been trying for quite awhile to get this working. At first the emails weren't sending at all, but I figured out the send_emails param and after setting that emails are sending but the email body is blank for both html and text formats.

This is my config:

config :guardian, Guardian,
  issuer: "MyApp",
  ttl: { 30, :days },
  verify_issuer: true,
  secret_key: System.get_env("SECRET_KEY"),
  serializer: MyApp.GuardianSerializer

config :guardian_db, GuardianDb,
  repo: MyApp.Repo

config :sentinel,
  app_name: "MyApp",
  user_model: MyApp.User,
  email_sender: "support@my_app.com",
  crypto_provider: Comeonin.Bcrypt,
  repo: MyApp.Repo,
  invitable: :true,
  endpoint: MyApp.Endpoint,
  router: MyApp.Router,
  send_emails: true,
  environment: :development

config :sentinel, Sentinel.Mailer,
  adapter: Bamboo.LocalAdapter

config :my_app, MyApp.Mailer,
  adapter: Bamboo.LocalAdapter

This is how I'm triggering it:

Sentinel.UserRegistration.register(%{ "user" => %{ "email" => email } })

The documentation example settings list user_view: MyApp.UserModel.View,. I had to change this to user_view: MyApp.UserView, to get Sentinel to work.