I'm using and updated version of the Guardian example it seems that whatever combination of permissions I try to inject (for instance, "Guardian.Plug.sign_in(user, :token, perms: %{ default: :write_profile })" it won work.
When inspecting claims I always see: ..."pem" => %{"default" => -1},

It is entirely possible that something is configured incorrectly on my end, however I think I followed the setup guides pretty well.

I set my permissions in config like so:

# config.ex

config :guardian, Guardian,
  issuer:        "Apollo",
  ttl:           {30, :days},
  verify_issuer: true,
  secret_key:    "4AvxMVXpO7XjeO+AVPwh1SQi+jz5rd3PtI4I0ifxbuZAshlZ2SZMKPSvr3gqZzXf",
  serializer:    Apollo.GuardianSerializer,
  permissions: %{client:                  [:insert, :update, :delete, :show],
                 client_type:             [:insert, :update, :delete, :show],
                 custom_field_definition: [:insert, :update, :delete, :show],
                 custom_field_section:    [:insert, :update, :delete, :show],
                 event_type:              [:insert, :update, :delete, :show],
                 group:                   [:insert, :update, :delete, :show],
                 item:                    [:insert, :update, :delete, :show],
                 item_type:               [:insert, :update, :delete, :show],
                 location:                [:insert, :update, :delete, :show],
                 location_type:           [:insert, :update, :delete, :show],
                 user:                    [:insert, :update, :delete, :show]}

And I am assigning permissions in the sign_in method like so:

# session_controller.ex

conn
|> AuditAction.record_action
|> put_flash(:info, "Logged in.")
|> Guardian.Plug.sign_in(user, :token, perms: Authentication.perms_for(user))
|> redirect(to: user_path(conn, :index))

Authentication.perms_for/1 seems to be returning permisssions formatted correctly. For example:

%{client:      [:show, :insert],
  client_type: [:show, :insert]}

However, when I try to check permissions, it looks like Guardian is consistently assigning 0 to everything. For example:

# Output from `Authentication.perms_for(Guardian.Plug.current_resource(conn))`
%{client: [:show], client_type: [:show], event_type: [:insert, :update, :show],
  group: [:show], item: [:insert, :update, :show], item_type: [:update, :show],
  location: [:show], location_type: [:show], user: [:show]}

# Output from `Guardian.Plug.claims(conn)`
{:ok,
 %{"aud" => "token", "exp" => 1448828739, "iat" => 1446236739,
   "iss" => "Apollo", "jti" => "078330cb-4f97-492a-9cb1-6529e9ca2c9e",
   "pem" => %{"client" => 0, "client_type" => 0, "event_type" => 0,
     "group" => 0, "item" => 0, "item_type" => 0, "location" => 0,
     "location_type" => 0, "user" => 0}, "sub" => "User:922796382408934407"}}

In iex if I run Guardian.Permissions.available, the result is [].

I'm not sure if I am providing enough information to assist, so if not I'd be more than happy to provide more. It sounds similar to #47 however I am using version 0.6.3.

Thanks for the help!

I login to api via Guardian.encode_and_sign(xxx). I cannot use Guardian.Plug.sign_out(conn) to logout from api. It said "cannot fetch_session". and method Guardian.revoke! do nothing with authentication data in header

I think it's a code smell for a library to do 'IO.puts' on errors, the errors should be reflected only in the function's output.

My opinion only so if you agree I could make the fix myself and submit a PR.

This is really intrusive into my sea of green dots while running my tests. Is this still necessary? If so, I am quite curious as to why this is required.

Hi,
I'm coding a login/sign up views that I have guarantee that the user are not Authenticated, if it is, I have to do something(handler).

Could I code this plug and submit a pull request?

Hey,
Would it be possible to git-tag the version bumps in the future?

I'm happy to do the grunt work and find the previous commit ids if backward tags can be done by you? (Guessing it requires force push of master, so not repo friendly to do!) but the offer is there!

https://github.com/bryanjos/joken

Could you elaborate on what your thoughts are around how the Strategies would work?

I've tried to work it out, but the {:ok, resource} syntax seems to make it verbose while handling the response. An alternative would just have the user run the authenticator on their own and add the Guardian.sign_in, with the added bonus of being able to have a spot to easily reject the authentication (deactivated account, flood control, etc).

defmodule Guardian.Authenticator do
  use Behaviour

  @doc "Runs an authentication strategy and returns the resource if successful"
  defcallback authenticate(conn :: Plug.Conn.t, params :: term) :: { :ok, resource :: term } | { :error, String.t }
end

defmodule Guardian.Strategy do
  @spec execute(Plug.Conn.t, term, term) :: Plug.Conn.t | {:error, String.t}
  def execute(conn, params, authenticator) do
    case authenticator.authenticate(conn, params) do
      {:ok, resource} -> Guardian.sign_in(conn, resource)
      {:error, message} -> {:error, message}
    end
  end
end

def create(conn, params = %{}) do
  case Guardian.Strategy.execute(conn, params, AuithenticatorModule) do
    conn -> conn
      |> redirect(to: user_path(conn, :index))
    {:error, message} -> conn
      |> put_flash(:error, message)
      |> redirect(to: "/")
  end
end

A common use case for many api's that are consumed by mobile app's is to get a new token without re-authenticating to avoid contentiously prompt users with login screens. This is most commonly done with refresh tokens. Would it be an idea to make a project similar to GuardianDb to implement this behavior?

Non-optional dependencies need to be listed in the :applications list in Mixfile, which will be used to generate .app file.

I've been playing around with permissions and haven't been able to get them working... I've set them in my config file:

permissions: %{
    admin: [
      :users
    ]
  }

and then am assigning them on sign in like this:

Guardian.Plug.sign_in(user, :token, perms: %{ admin: [:users]}) 

In my controller I am then using:

plug Guardian.Plug.EnsurePermissions, on_failure: { Blog.UserController, :unauthenticated }, admin: [:users]

The on_failure callback gets called every time I try to access the controller. In order to figure out what was going on I started playing around with the Guardian.Permissions API. When I call:

Guardian.Permissions.to_value([:users]) 

it returns 0. I assume there is something wrong as the docs say that an integer from 1-31 should be assigned.

In addition, when I inspect the claims the "pem" key looks like this:

"pem" => %{"admin" => 0}

Any ideas as to what is going on?

When I'm working in Ruby, I really enjoy how Clearance's Backdoor Middleware allows me to skip the sign in process when writing browser-level acceptance tests. When in my test environment, I can append the as query string parameter when I make a request, and I'm automatically signed in as that user. (Here's how I'd make the request using Hound).

navigate_to "/?as=#{user.id}"

What would you think about guardian having a middleware that allows developers to be able to skip the sign in process during acceptance tests? To enable this, I was thinking they might add the following to their web/router.ex file.

pipeline :browser_session do
  if Mix.env == :test do
    plug Guardian.Plug.Backdoor
  end

  plug Guardian.Plug.VerifySession
  plug Guardian.Plug.LoadResource
end

I'd be happy to work on this and I'm still thinking over the implementation details, but I wanted to run it by you before I start.

Current usage of Calendar dependency is a huge overkill, especially for compilation, releases.

It might be replaced with:

{mgsec, sec, _usec} = :os.timestamp
mgsec * 1_000_000 + sec

It would be nice if on_failure were optional and we could make use of Plug.Exception protocols for Guardian errors.

I could be totally wrong, but I'm a tiny bit on the fence with the semantics of the Plug namespace.

Since Plug is generally concerned with a "connection", should the Guardian.Plug namespace be Guardian.Conn instead?

I realize that the Guardian.Plug namespace indicates that these modules provide the Plug contract (behaviour), just wondering if it's necessary?

Thoughts?

On startup, pre-generate all allowable keys so that they're only generated once rather than going string -> atom -> string in Guardian.Keys

On encode_and_sign allow setting a secret so that people can use a custom secret per token for signing. This would be considered 'advanced' since you'd need to provide an identifier to lookup the secret along with the token (maybe)

The README refers to "JWT" in a number of places, but never explains what it is. I'm an old fart web developer and it took me quite a bit of googling to figure out that this meant JSON Web Tokens. Expanding that in the README would help a lot with readability.

Hi, I'm new to Elixir/Phoenix/Guardian, but I've gotten an API up and running with Guardian configured. Presently, I'm hard-coding permissions for all my users like so:

{ :ok, jwt, full_claims } = Guardian.encode_and_sign(user, :token, %{
  name: user.name,
  perms: %{ admin: [:dashboard] }
})

But I was wondering how I might save the permissions bit on my user record, so that different users could have different permissions (and thus get different tokens).

How might I do this?

I'm a bit confused by all? I'm assuming it means all permissions are verified, but in the below example a non existent value checks true.

assuming the below config from your example in the README

config :guardian, Guardian,
  issuer: "Aclpho",
  ttl: { 30, :days },
  verify_issuer: true,
  secret_key: "xxxxxxxxxxxxxxxxxx123411",
  serializer: Aclpho

config :guardian, Guardian,
       permissions: %{
         default: [:read, :write],
         admin: [:dashboard, :reconcile]
       }

the test channel

defmodule Aclpho.RC do
  require Logger
  use Phoenix.Channel
  use Guardian.Channel

  def join(_room, %{ claims: claims, resource: resource }, socket) do
    Logger.warn "claims: " <> inspect claims
    case Guardian.verify(resource) do
      { :ok, claims } ->
        Logger.warn "verified claims: " <> inspect claims
        can_read? = Guardian.Permissions.from_claims(claims, :default)
          |> Guardian.Permissions.any?([:read], :default)
        can_write? = Guardian.Permissions.from_claims(claims, :default)
          |> Guardian.Permissions.any?([:write], :default)
        can_foo? = Guardian.Permissions.from_claims(claims, :default)
          |> Guardian.Permissions.all?([:foo], :default)
          #|> Guardian.Permissions.any?([:foo], :default)
        Logger.warn "permissions were: " <> inspect {can_read?,can_write?,can_foo?}

        { :ok, %{ message: "Joined #{inspect clams.sub}" }, socket }
      { :error, reason } ->
        Logger.warn "sad face :("
        { :error,  :authentication_failed}
    end
  end

uncommenting the any? line prints the expected {true, true,false} tuple. Why does aall? return true for a permission that does not exist?

Is there a way to keep session upon app restart? Or if not, is it possible to hook up redis or something to handle this?

Hi there,

Quite new to elixir and phoenix so apologies if this isn't a bug but a mistake in my code, I had a look at the code and couldn't see what was wrong with it to be able contribute a fix or confirm if it is a bug in Guardian or I'm just doing something wrong.

Basically when I use

plug Guardian.Plug.EnsureAuthenticated, on_failure: { SessionController, :new }

In a controller and the on_failure triggers rather than send me to the :new action of the SessionController it seems like it's trying to send me to the :new action of the current controller. I've attached a screenshot of the error and the code the code I'm getting this error with is here: controller where EnsureAuthenticated is being called, https://github.com/oscarduignan/phoenix-time-tracker/blob/master/web/controllers/user_controller.ex#L7; and the action it's trying to use for on_failure, https://github.com/oscarduignan/phoenix-time-tracker/blob/master/web/controllers/session_controller.ex#L6-L8.

If I visit hexdocs.pm/guardian, it redirects to http://hexdocs.pm/guardian/overview.html which is 404, which makes it a little bit harder to find the published docs. They are available at https://hexdocs.pm/guardian/Guardian.html

Hi, i´m sure its my error but i need more info to use guardian
here is my index page.

in the console i see the token being inspected

however in my index view
i have <%= inspect @conn %> and the token is not there.

if i change the return of index above to
render conn, "index.html" , token: Guardian.Plug.current_token(conn)
i see the token but is set to nill

Can you help a litle more ?

regards
António

I'm developing with Guardian right now, and I want a part of a website to be available to both default user and admin
Because of that I distributed the permissions like that

permisions: %{
  default: [
    :see_page
  ],
  admin: [
    :see_page,
    :do_admin_stuff
   ]
}

But right now if I want to check the permissions using plug I'm unable to check the permission by name
because

plug EnsurePermissions, [handler: __MODULE__, default: [:see_page]]

Which still doesn't allow the admin to see the page, because it check under a key instead of checking the permission itself
Did I get something wrong or is the permissions model quite unintuitive?

I have added ueberauth_identity and then I read about this. Is there example for combining the two?

Like in title, can't create token, it seems that it is Guardian or base64url fault, I need to work around it asap.

iex:

user = Repo.get(User, 1)

%Myapp.User{__meta__: #Ecto.Schema.Metadata<:loaded>,
 crypted_password: "$2b$12$CV.lhxwuCT9gfLxek1fC0.uLKNlJnh/ookv7M84UgGO07xzq3V6Zu",
 email: "[email protected]", id: 5,
 inserted_at: #Ecto.DateTime<2015-11-24T18:47:31Z>, password: nil,
 updated_at: #Ecto.DateTime<2015-11-24T18:47:31Z>, username: nil}

{ :ok, jwt, full_claims } = Guardian.encode_and_sign(user, :api)
** (FunctionClauseError) no function clause matching in :base64url.encode/1
    src/base64url.erl:22: :base64url.encode(nil)
    lib/guardian.ex:231: Guardian.jose_jwk/0
    lib/guardian.ex:234: Guardian.encode_claims/1
    lib/guardian.ex:68: Guardian.encode_and_sign/3

mix.lock

%{"base64url": {:hex, :base64url, "0.0.1"},
  "comeonin": {:hex, :comeonin, "1.6.0"},
  "cowboy": {:hex, :cowboy, "1.0.4"},
  "cowlib": {:hex, :cowlib, "1.0.2"},
  "decimal": {:hex, :decimal, "1.1.0"},
  "ecto": {:hex, :ecto, "1.0.6"},
  "fs": {:hex, :fs, "0.9.2"},
  "guardian": {:hex, :guardian, "0.7.1"},
  "jose": {:hex, :jose, "1.4.1"},
  "phoenix": {:hex, :phoenix, "1.0.3"},
  "phoenix_ecto": {:hex, :phoenix_ecto, "1.2.0"},
  "phoenix_html": {:hex, :phoenix_html, "2.2.0"},
  "phoenix_live_reload": {:hex, :phoenix_live_reload, "1.0.1"},
  "plug": {:hex, :plug, "1.0.2"},
  "poison": {:hex, :poison, "1.5.0"},
  "poolboy": {:hex, :poolboy, "1.5.1"},
  "postgrex": {:hex, :postgrex, "0.9.1"},
  "ranch": {:hex, :ranch, "1.2.0"},
  "uuid": {:hex, :uuid, "1.1.1"}}

When using EnsureAuthenticated, allow a map of claims to be passed in. If present, it should check that those claims are present.

e.g.

EnsureAuthenticated claims: %{ aud: "customer" }

Has anyone tried Guardian with the new Poison 2.x versions? Any issues?

I've just put poison 2.1 in as an override and haven't seen any issues yet (but it's very early in the day).

Hi guys,
I realy like guardians, but a devise's feature that i miss is the generators. Because of this I startad create it:

https://github.com/victorlcampos/gen_guardian

What do you think? Could I open a pull request to guardian project to add this to it?

Hi!

I am using guardian to authenticate users to access private actions in my phoenix application and everything is working fine.

The problem is that I can't make my controllers tests to pass. All requests are falling on the plug Guardian.Plug.EnsureAuthenticated, rendering the login page instead of executing the action normally.

I have already tried the following in my controller test:

  setup do
    user = Repo.insert(%User{})
    conn = conn()
            |> sign_conn()
            |> Guardian.Plug.sign_in(user, :token, perms: %{ default: Guardian.Permissions.max })
    {:ok, conn: conn}
  end

The sign_conn I got from plug's tests and it is defined in my ConnCase exactly like it is in the link.

I did that because just calling the Guardian.Plug.sign_in in the conn() was raising errors related to fetch_session

So, am I on the right path? If not, what is the best way to bypass this authentication on controller tests?

My best

I had problems verifying tokens from the auth headers, I always got an {:error, "argument error"} in my assigns which happened during JSON decoding of the claims.
Weirdly enough the problem seemed only to appear if I hadn't created a token before.

After looking deeper, I discovered, that it is not the recommended way for the Poison decoder configuration to use atoms as keys, read here:
https://github.com/devinus/poison#parser

Note that keys: :atoms! reuses existing atoms, i.e. if :name was not allocated before the call, you will encounter an argument error message.

You can use the keys: :atoms variant to make sure all atoms are created as needed. However, unless you absolutely know what you're doing, do not do it. Atoms are not garbage-collected, see Erlang Efficiency Guide for more info:

Atoms are not garbage-collected. Once an atom is created, it will never be removed. The emulator will terminate if the limit for the number of atoms (1048576 by default) is reached.

The Guardian.JWT module however uses atoms as keys:

  @doc false
  def decode(binary), do: JSON.decode!(binary, keys: :atoms!)

As I understand, this creates weird problems, where you have to anticipate and instatiate all atoms that you might need for the to-be-decoded JSON text before trying to decode it. Apart from that you could run out of atoms.
I will also open a ticket for the Joken guys, as they have a similar example for a config module in their README.

It would be nice from a testing perspective to be able to generate a throwaway token for testing, especially when using GuardianDB.

If I've missed this utility somewhere I apologize. If not, I'd definitely be up for submitting a PR.

This issue will be closed once I write the guides. It's mostly here as a placeholder to remind myself what I need to do.

The idea is prose + code, a walkthrough that explains both how to use Guardian and why a user should consider it.

Hi,
if you agree I think I can help you to make some generators like device has

This is probably an Elixir string thing, but here goes:

I'm moving from posting a "jwt" param to putting it in the "Authorization" header.

However, I get this weird behavior:

  def a_controller_action(conn, %{ "jwt" => p_jwt} ) do

    h_jwt = get_req_header( conn, "authorization" )
    Logger.error "The jwt from the header looks like this ..."
    Logger.debug h_jwt
    Logger.error "Here's the one from params:"
    Logger.debug p_jwt
    Logger.error "They look the same, but: are those the same?"
    Logger.debug p_jwt == h_jwt
    Logger.error "Son of a gun!"

    case Guardian.decode_and_verify(p_jwt) do
      ...
      # p_jwt works, h_jwt doesn't

The output I get is:

[error] The jwt from the header looks like this ...
[debug] eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVc2VyOjIzIiwicGVtIjp7fSwianRpIjoiODg4YTBjMjQtZDljMy00YWFmLTkyYTgtNmZiOWE1ZWU0ZTRjIiwiaXNzIjoiRmxhc2hiYW5nIiwiaWF0IjoxNDQ2NzYyNzYzLCJleHAiOjE0NDkzNTQ3NjMsImF1ZCI6InRva2VuIn0.pTVplbARneTmC8-wnAvcajn4Xmc3O4zhs8cF_7gXlXk
[error] Here's the one from params:
[debug] eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVc2VyOjIzIiwicGVtIjp7fSwianRpIjoiODg4YTBjMjQtZDljMy00YWFmLTkyYTgtNmZiOWE1ZWU0ZTRjIiwiaXNzIjoiRmxhc2hiYW5nIiwiaWF0IjoxNDQ2NzYyNzYzLCJleHAiOjE0NDkzNTQ3NjMsImF1ZCI6InRva2VuIn0.pTVplbARneTmC8-wnAvcajn4Xmc3O4zhs8cF_7gXlXk
[error] They look the same, but: are those the same?
[debug] false
[error] Son of a gun!

Which is funny! They look exactly the same from here.

I'm not sure that this is a Guardian issue, but the thing is, Guardian can decode and use the JWT from params, but when trying to decode the one from headers, I get:

    (stdlib) binary.erl:244: :binary.split/3
    lib/joken/token.ex:102: Joken.Token.verify_signature/3
    lib/joken/token.ex:69: Joken.Token.decode/3
    lib/guardian.ex:127: Guardian.decode_and_verify/2
    (...) web/controllers/user_controller.ex:27: _.UserController.current_user/2
    (...) web/controllers/user_controller.ex:1: _.UserController.action/2
    (...) web/controllers/user_controller.ex:1: _.UserController.phoenix_controller_pipeline/2
    (...) lib/phoenix/router.ex:255: Flashbang.Router.dispatch/2

with no more detail, no lines before/after etc.

Any ideas what could cause two strings that print the same to be different to Elixir? Or why the value extracted from params would be a different binary from the one taken from headers?

This one is referenced a couple times in the readme, but not individually documented like the others

I followed the guardian phoenix example, and I'm a little confused on how to get a token for a user so they can start making API requests.

I tried copying and pasting the token I got from the browser session, into a API requests Authorization header, but it's failing on EnsureAuthenticated matching on { :error, :no_session }.

This might sound dumb, but..
Will I need to create a user session before calling an API endpoint?

I would like to do something like POST: http://example.com/api/v1/login and pass in an email and password. Then it would return a JWT to use for future API requests.

Anyway, I would like to see your approach on this, because I feel like the example app didnt go into much detail about making API requests with a JWT.

Thank you for any help.

Hi folks.

There's a bit of confusion around the names of things in Guardian. I'm not surprised because I'm pretty terrible at naming things.

The things that have currently been discussed are:

Functions

Guardian.mint

This function generates a JWT, and calls hooks that incorporate behaviour. Mint does not seem to be a common word for this (it fits! but just not common)

Suggestions so far:
Guardian.encode_and_sign

Guardian.verify

In order to be symmetrical with the replacement for mint, the following has been suggested
Guardian.decode_and_verify

Modules

EnsureSession

This is just flat out poorly named. It implies that you need to be running a session (which is not true).

An alternative might be
EnsureTokenValidity

VerifyAuthorization

This module fetches a token from the Authorization header, but could be named better.

Open for suggestions.

Hi,

forgive the somewhat unrelated question, but as a newcomer to Elixir, I just pulled my hair out for way too long because my permissions weren't working ... until I realized that mix actually compiles the Map in config.exs directly into the @perms attribute, and that said compilation isn't automatically re-triggered when my configuration changes. In other words, I have to delete _build/guardian after updating my permissions or else my app won't work.

If this should happen automatically, then something must be missing in my setup, and I'd be grateful for a pointer to a working example.

Hello.

The title of this issue is a bit misleading because I don't know how to describe my question in 2-3 words.

I have a bit weird question. I'm building a mobile web app. My app as any other web app can be added to Home Screen in iOS using Safari. The problem is that if you close such 'standalone' app or just send it to background, the next time you open it you will have to login again because, as I understand, cookies are deleted when you send to background or close 'standalone' web app. Similar issue on StackOverflow http://stackoverflow.com/questions/3813599/iphone-bookmark-to-homescreen-removes-cookies-and-session

So I'd like to cache 'something' on client side using localStorage to use this 'something' to be logged in again when I open my 'standalone' web app, so I don't need to submit emai/password every single time when I open my app.
So the question is what should I cache/store on the client side and what should I send to the backend to be logged in?

My current hackity workaround is the following: once a user authenticates using email/password, backend sends Guardian token in the response, client side stores a token in localStorage. Then on the login page javascript checks if there is a token in the cache and sends it to an endpoint(i.e. api/session/exists) with the following plugs in the pipeline:

plug :fetch_session
plug Guardian.Plug.VerifyHeader
plug Guardian.Plug.LoadResource

On the backend side I do the following:

case Guardian.Plug.current_resource(conn) do
  nil -> send_resp(conn, 401, "Unauthenticated")
  user -> Guardian.Plug.sign_in(conn, user) |> send_resp(200, "")
end

In other words I authenticate a user using API approach(jwt token) to make this user authenticated in browser. This is really weird mixture of API and browser authentication and I believe there is a better approach. Also I'm not sure if such approach is secure.
Maybe it's possible somehow to communicate a token in the URL(not in header)?

Could you please help me?

Thank you so much!

Hi y'all,

Just came across some unexpected functionality:

defmodule MyApp.TokenSerializer do
  @behaviour Guardian.Serializer
  alias MyApp.Repo
  alias MyApp.User

  ...

  def from_token(id) do
    case user = Repo.get(User, id) do
      %User{} ->
        {:ok, user}
      nil ->
        {:error, "Unknown resource"}
    end
  end
end

My naive impression was that that returning an error here would cause Guardian to abort the request in some fashion. However, the error is swallowed up here.

I'll likely implement my own plug to verify that the current_resource is not nil for now, but I thought it might be nice if Guardian provided something similar. Two ideas:

• Plug.LoadResource could call the unauthenticated method on the handler when the serializer returns an error
• A new plug like (Plug.EnsureResource?) that calls the unauthenticated method on the handler when the serializer returns an error

I'm happy to take a stab at a PR if you like either idea.

I'm still pretty new to Elixir/Phoenix, so please forgive me if this a noob question. Guardian looks like a great authentication library, but I have one question...

I've been looking through the codebase and see a lot of guardian's internal state is stored on conn.assigns instead of using conn.private. It looks like guardian is currently adding keys like :guardian_default_claims and :guardian_default_jwt to the assigns hash, which I think makes them available in phoenix templates by using@guardian_default_claims and @guardian_default_jwt, respectively. I was thinking that the assigns hash was only for things the developer wanted to access in their template using the @variable_name syntax. I'm curious about what the advantage is of putting these keys in conn.assigns versus storing them in conn.private and exposing a helper function to access them if they really need to be accessed.

Any insight on this would be greatly appreciated as I continue to learn Phoenix.

I don't think checking the value in conn.assigns dict returns a tuple. all the documentation i can find points now to returning just the value or nil. Since Guardian.Plug.claims is checking for this tuple, https://github.com/hassox/guardian/blob/master/lib/guardian/plug.ex#L161, it's always failing for me with the :no_session error case. This breaks me checking claims and the various plugs like EnsureAuthenticated that use it. I'm using Plug v1.0.2 and I noticed the test suite is set up for v1.0.0 but i can't see the difference in return values for it between the versions. Is there something I'm missing?

There is no need to have Dict calls in places where the input can be of only one type, e.g. Guardian.Claims module.

• shows desired datatype explicitly
• Dict may be gone in Elixir v2.0
• is a bit faster

It signals that we are working with booleans - not truthy and falsy values. It's also slightly faster.

I am trying to authenticate a user via api, but I'd also like to make sure they remain authenticated should they refresh the page.

Guardian.Plug.sign_in seems to fit the bill for storing user authentication in a cookie, but the cookie doesn't get set when I auth via my api.

This does work:

    conn
    |> Guardian.Plug.sign_in(user)
    |> redirect(to: root_path(conn, :index))

Using these pipelines in this order:

      pipeline :browser do
         plug :accepts, ["html"]
         plug :fetch_session
         plug :fetch_flash
         plug :protect_from_forgery
         plug :put_secure_browser_headers
       end

       pipeline :browser_session do
         plug Guardian.Plug.VerifySession
         plug Guardian.Plug.LoadResource
       end

This does not:

    conn
    |> Guardian.Plug.sign_in(user)
    |> render("session.json")

Using these pipelines in this order:

      pipeline :api do
         plug :accepts, ["json"]
         plug Guardian.Plug.VerifyHeader
         plug Guardian.Plug.LoadResource
      end

      pipeline :api_session do
         plug :fetch_session
         plug :fetch_flash
         plug :put_secure_browser_headers
         plug Guardian.Plug.VerifySession
      end

I'm out of guesses as to why one works and the other doesn't as the behavior of redirect and render seem to be essentially the same.

Is there something I'm missing?

Hey,

I try to use Guardian to sign a JWT with RSA plublic/private key.

I see that your implementation don't allow other signature algorithms than HMAC SHA-xxx (HSxxx). The problem comes from jose_jwk/1 that hardcode an jwk HSxxx.

I would like to offer the possibility to use any algorithm available with JOSE. Should I keep a backward compatibility? If so, have you any idea how to do this properly?

I will propose a pull request later in the day or next week but already does not hesitate to offer me your comments.