danschultzer / pow Goto Github PK

In my webapp, Bodyguard library is used for simple authorization.

And Bodyguard.Plug.Authorization receives 1-arity fn for user allocation like &get_current_user/1. Docs

Currently there's a helper fn which simply wraps Pow.Operations.current_user(conn, otp_app: :myapp).

I believe almost every users with Bodyguard and Pow would do the same thing, which means it'll be one of the most frequently used fn.

So, how about adding a fn current_user(conn) or current_user(conn, default_options)?

I am fully loving pow so far but I am finding very hard to integrate or use with other libs due to the controller methods. When we try to implement a new flow its never easy because the custom controller methods lack guidance around how to to properly utilise these.

I had to create custom controller since I am using assigns in weird way in which I require them to generate the reg form and sign in forms. This is working, we now have a problem when it comes to email confirmation as this is not functional at all.

We manage to implement this based on a previous issue:

defmodule AppWeb.RegistrationController do
    use AppWeb, :controller
    alias PowEmailConfirmation.Phoenix.ControllerCallbacks, as: PowEmailConfirmationControllerCallbacks

    def new(conn, _params) do
      changeset = Pow.Plug.change_user(conn)
      form = create_form(App.Users.UserType, %App.Users.User{})

      render(conn, "new.html", changeset: changeset, form: form)
    end

    def create(conn, %{"user" => user_params}) do
      conn
      |> Pow.Plug.create_user(user_params)
      |> verify_confirmed()
    end

    defp verify_confirmed({:error, conn}), do: render(conn, "new.html")

    defp verify_confirmed({:ok, conn}) do
      user = Pow.Plug.current_user(conn)
  
      if confirmed?(user) do
        conn
        |> put_flash(:info, "Welcome!")
        |> redirect(to: Routes.page_path(conn, :index))
      else
        PowEmailConfirmationControllerCallbacks.send_confirmation_email(user, conn)
  
       {:ok, conn} = Pow.Plug.clear_authenticated_user(conn)
        # conn session has been reset and error can be returned
        render(conn, "new.html")
      end
    end
  
    defp confirmed?(%{email_confirmed_at: nil, email_confirmation_token: token}) when not is_nil(token), do: false
    defp confirmed?(_user), do: true
end

We mainly seem to be running in to issue around the expected return type. We have had to disable this feature for the time being as we are still in development. If there a better or easier way to pass assigns to Pow controllers ? Can you provide the best method to add or call the extension from here from the reg controller ?

The error we tend to see if the following: no function clause matching in AppWeb.RegistrationController.verify_confirmed/1 and this occurs on the following line: defp verify_confirmed({:error, conn}), do: render(conn, "new.html")

I like the following which is the initial example we went with as it provides a decent place to start building from:

defmodule AppWeb.RegistrationController do
    use AppWeb, :controller

    def new(conn, _params) do
      changeset = Pow.Plug.change_user(conn)
      form = create_form(App.Users.UserType, %App.Users.User{})
      render(conn, "new.html", changeset: changeset, form: form)
    end

    def create(conn, %{"user" => user_params}) do
      conn
      |> Pow.Plug.create_user(user_params)
      |> case do
        {:ok, user, conn} ->
          conn
          |> put_flash(:info, "Welcome!")
          |> redirect(to: Routes.page_path(conn, :index))

        {:error, changeset, conn} ->
          render(conn, "new.html", changeset: changeset)
      end
    end
end

In my website pow is equipped with three included extensions. And whenever I restarted the server, all the sessions are gone away.

I expected that the PowPersistentSession stores credentials into DB layer, but there's no additional migration.

Is this feature intended or under development?

In my app, I have the need for multiple user tables.

Devise does a killer job (via warden) to authenticate via varying tables & warden scopes.

Is there a good mechanism to do this with this library (without an umbrella)?

Running mix pow.phoenix.gen.templates or mix pow.phoenix.gen.templates --context-app Ss gives the error:

* creating lib/ss_web/views/pow/registration_view.ex
** (ArgumentError) argument error
    :erlang.binary_to_existing_atom("edit", :utf8)
    (elixir) lib/string.ex:2089: String.to_existing_atom/1
    (elixir) lib/enum.ex:1294: Enum."-map/2-lists^map/1-0-"/2
    (elixir) lib/enum.ex:1294: Enum."-map/2-lists^map/1-0-"/2
    lib/mix/pow/phoenix.ex:59: Mix.Pow.Phoenix.create_templates/4
    (elixir) lib/enum.ex:737: Enum."-each/2-lists^foreach/1-0-"/2
    (elixir) lib/enum.ex:737: Enum.each/2
    lib/mix/tasks/phoenix/pow.phoenix.gen.templates.ex:41: Mix.Tasks.Pow.Phoenix.Gen.Templates.create_template_files/1

It does generate lib/ss_web/views/pow/registration_view.ex, but that is all.

Hello!

I'm trying to follow the instructions in the README about the e-mail confirmation extension. I updated the config.ex, the user.ex and the router.ex, generated the templates, added the pow_mailer.ex module, added the mailer_backend key to the config.ex, added the mailer_view function, generated the templates and added the web_mailer_module key. Yet after login I get this error message:

[error] #PID<0.417.0> running UserProfileManagerWeb.Endpoint (cowboy_protocol) terminated
Server: localhost:4000 (http)
Request: POST /session?request_path=%2F
** (exit) an exception was raised:
** (UndefinedFunctionError) function UserProfileManagerWeb.Router.Helpers.pow_email_confirmation_confirmation_url/3 is undefined or private
(user_profile_manager) UserProfileManagerWeb.Router.Helpers.pow_email_confirmation_confirmation_url(%Plug.Conn{adapter: {Plug.Adapters.Cowboy.Conn, :...}, assigns: %{action: "/session?request_path=%2F", current_user: ...
(pow) lib/extensions/email_confirmation/phoenix/controllers/controller_callbacks.ex:56: PowEmailConfirmation.Phoenix.ControllerCallbacks.send_confirmation_email/2
(pow) lib/extensions/email_confirmation/phoenix/controllers/controller_callbacks.ex:39: PowEmailConfirmation.Phoenix.ControllerCallbacks.halt_unconfirmed/3
(elixir) lib/enum.ex:1925: Enum."-reduce/3-lists^foldl/2-0-"/3
(pow) lib/pow/phoenix/controllers/controller.ex:88: Pow.Phoenix.Controller.action/3
(pow) lib/pow/phoenix/controllers/session_controller.ex:1: Pow.Phoenix.SessionController.action/2
(pow) lib/pow/phoenix/controllers/session_controller.ex:1: Pow.Phoenix.SessionController.phoenix_controller_pipeline/2
(user_profile_manager) lib/user_profile_manager_web/endpoint.ex:1: UserProfileManagerWeb.Endpoint.instrument/4
(phoenix) lib/phoenix/router.ex:278: Phoenix.Router.call/1
(user_profile_manager) lib/user_profile_manager_web/endpoint.ex:1: UserProfileManagerWeb.Endpoint.plug_builder_call/2
(user_profile_manager) lib/plug/debugger.ex:122: UserProfileManagerWeb.Endpoint."call (overridable 3)"/2
(user_profile_manager) lib/user_profile_manager_web/endpoint.ex:1: UserProfileManagerWeb.Endpoint.call/2
(plug) lib/plug/adapters/cowboy/handler.ex:16: Plug.Adapters.Cowboy.Handler.upgrade/4
(cowboy) /home/nar/mena_playground/deps/cowboy/src/cowboy_protocol.erl:442: :cowboy_protocol.execute/4

I see that this pow_email_confirmation_confirmation_url function is called, but I don't see any implementation for it in the 1.0.0-rc4 version and the README doesn't mention that I need to implement it either. I see that the e62374b commit changed this in the extension, but I don't know how to get the latest version. How do I get it? I added {:pow, "~> 1.0.0-rc.4"} to mix.exs.

Hello,

I'm trying to test pow in a new phoenix 1.4 app.
The mix task pow.install return this:

mix pow.install -r Powtest.Repo Accounts.User users
** (MatchError) no match of right hand side value: :undefined
    lib/pow.ex:9: Pow.dependency_vsn_match?/2
    lib/mix/pow/ecto/migration.ex:69: Mix.Pow.Ecto.Migration.source_repo_priv/1
    lib/mix/pow/ecto/migration.ex:15: Mix.Pow.Ecto.Migration.create_migration_files/3
    (elixir) lib/enum.ex:765: Enum."-each/2-lists^foreach/1-0-"/2
    (elixir) lib/enum.ex:765: Enum.each/2
    lib/mix/tasks/ecto/pow.ecto.install.ex:49: Mix.Tasks.Pow.Ecto.Install.maybe_run_gen_migration/2
    lib/mix/tasks/ecto/pow.ecto.install.ex:41: Mix.Tasks.Pow.Ecto.Install.run/1
    lib/mix/tasks/pow.install.ex:38: Mix.Tasks.Pow.Install.run_ecto_install/2
    lib/mix/tasks/pow.install.ex:31: Mix.Tasks.Pow.Install.run/1
    (mix) lib/mix/task.ex:316: Mix.Task.run_task/3
    (mix) lib/mix/cli.ex:79: Mix.CLI.run_task/2
    (elixir) lib/code.ex:767: Code.require_file/2

Can you provide a user.ex file and the typical migration pow required ?

I've followed the Getting Started (Phoenix) section in the README to the letter but when I 'fire up' the iex -S mix phx.server and try going to localhost:4000/registration/new I'm told that

$ iex -S mix phx.server
Erlang/OTP 21 [erts-10.0.7] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [hipe] [dtrace]

[info] Running PowwowWeb.Endpoint with Cowboy using http://0.0.0.0:4000
Interactive Elixir (1.7.3) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> 10:25:47 - info: compiled 6 files into 2 files, copied 3 in 874 ms
[info] GET /registration/new
[info] Sent 500 in 69ms
[error] #PID<0.398.0> running PowwowWeb.Endpoint (cowboy_protocol) terminated
Server: localhost:4000 (http)
Request: GET /registration/new
** (exit) an exception was raised:
    ** (UndefinedFunctionError) function PowwowWeb.Pow.Phoenix.RegistrationController.init/1 is undefined (module PowwowWeb.Pow.Phoenix.RegistrationController is not available)
        PowwowWeb.Pow.Phoenix.RegistrationController.init(:new)
        (powwow) lib/powwow_web/router.ex:1: anonymous fn/1 in PowwowWeb.Router.__match_route__/4
        (phoenix) lib/phoenix/router.ex:278: Phoenix.Router.__call__/1
        (powwow) lib/powwow_web/endpoint.ex:1: PowwowWeb.Endpoint.plug_builder_call/2
        (powwow) lib/plug/debugger.ex:122: PowwowWeb.Endpoint."call (overridable 3)"/2
        (powwow) lib/powwow_web/endpoint.ex:1: PowwowWeb.Endpoint.call/2
        (plug) lib/plug/adapters/cowboy/handler.ex:16: Plug.Adapters.Cowboy.Handler.upgrade/4
        (cowboy) /Users/Walther/tmp/meetup/powwow/deps/cowboy/src/cowboy_protocol.erl:442: :cowboy_protocol.execute/4
[info] GET /
[debug] Processing with PowwowWeb.PageController.index/2
  Parameters: %{}
  Pipelines: [:browser]
[info] Sent 200 in 12ms

Any ideas?

Can we add a feature so you still get to use the confirmation flow (sends email) but confirmation is not required to proceed after registration?

Hi!

I'm looking for a way to disable registration routes, as the app I'm building won't need them. I couldn't find any configuration option, so what's the suggested approach for this?

I tried changing pow_routes() in my router to this:

    scope "/", Pow.Phoenix, as: "pow" do
      resources "/session", SessionController, singleton: true, only: [:new, :create, :delete]
    end

But it forces me to import the session templates and overwrite them, as they use the registration path (which doesn't exist now).

Is there a better way to achieve this?

Thanks! 😄

What are the goals for 1.0? What will it take to move from rc to 1.0?

By default, reset_password.html.eex only exposes the @url assigns variable.

How would I go about also having the @user variable exposed so that I can customise my email templates? For example, I want to open my emails with Hi {user}, as opposed to just a generic Hi,?

Guidance appreciated.

Current form template L72 builds form inputs with @changeset.data.__struct__.pow_user_id_field().

This is useful when there're some different types of @changesets are given. (is this intended?)

It can be resolved by replace with Pow.Config.get([otp_app: :my_app], :user, nil) when the template is generated.

It seems like when using a custom SessionController with the PowEmailConfirmation extension, the controller callbacks that handle checking whether the email was confirmed aren't run and the connection isn't halted regardless of the email being unconfirmed.

I realized this is because I defined the controller with a custom name instead of Pow.Phoenix.SessionController.

The motivation behind this is using Pow and its extensions in an API which is decoupled from the front end of the app, so all responses should be JSON rather than HTML. Beginning to wonder if it'd be possible to just handle all the responses with controller callbacks instead and maybe it could be useful as an extension.

I'm looking into implementing https://tools.ietf.org/html/rfc8252, but I'm not sure how to authenticate using pow.

My best guess is some sort of double authentication. The app authenticates with pow and then pow authenticates with Google Apps (for an example). Any ideas?

Sample: https://github.com/googlesamples/oauth-apps-for-windows/blob/master/OAuthConsoleApp/OAuthConsoleApp/Program.cs

More than often, it's enough to check whether an user session is logged in or not.

But currently I can only check user via current_user/1 which returns a bit heavy user-full struct.

How about add a new function returning lightweight true/false instead? This will make consuming less resource.

Recently I changed the credential config from default ets to mnesia explained in the readme guide.

It has worked in dev, but error is popped out in prod. (Release made via Distillery and :mnesia is included in :extra_applications.

Any clue?

console

 9월 24 09:29:11 nohogu1 nohogu[4506]: Loading nohogu...
 9월 24 09:29:11 nohogu1 nohogu[4506]: Starting dependencies..
 9월 24 09:29:11 nohogu1 nohogu[4506]: Creating database if not exists...
 9월 24 09:29:11 nohogu1 nohogu[4506]: Running migrations...
 9월 24 09:29:12 nohogu1 nohogu[4506]: Success!
 9월 24 09:29:12 nohogu1 nohogu[4506]: 09:29:12.159 [info] Already up
 9월 24 09:29:14 nohogu1 nohogu[4506]: 09:29:14.948 [info] Running NohoguWeb.Endpoint with Cowboy using http://0.0.0.0:4000
 9월 24 09:29:14 nohogu1 nohogu[4506]: 09:29:14.994 [info] Application nohogu exited: Nohogu.Application.start(:normal, []) returned an error: shutdown: failed to start c
 9월 24 09:29:14 nohogu1 nohogu[4506]:     ** (EXIT) an exception was raised:
 9월 24 09:29:14 nohogu1 nohogu[4506]:         ** (CaseClauseError) no case clause matching: {:aborted, {:bad_type, Pow.Store.Backend.MnesiaCache, :disc_copies, :"nohogu@
 9월 24 09:29:14 nohogu1 nohogu[4506]:             (pow) lib/pow/store/backend/mnesia_cache.ex:144: Pow.Store.Backend.MnesiaCache.table_init/1
 9월 24 09:29:14 nohogu1 nohogu[4506]:             (pow) lib/pow/store/backend/mnesia_cache.ex:54: Pow.Store.Backend.MnesiaCache.init/1
 9월 24 09:29:14 nohogu1 nohogu[4506]:             (stdlib) gen_server.erl:374: :gen_server.init_it/2
 9월 24 09:29:14 nohogu1 nohogu[4506]:             (stdlib) gen_server.erl:342: :gen_server.init_it/6
 9월 24 09:29:14 nohogu1 nohogu[4506]:             (stdlib) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
 9월 24 09:29:16 nohogu1 nohogu[4506]: {"Kernel pid terminated",application_controller,"{application_start_failure,nohogu,{{shutdown,{failed_to_start_child,'Elixir.Pow.St
 9월 24 09:29:16 nohogu1 nohogu[4506]: Kernel pid terminated (application_controller) ({application_start_failure,nohogu,{{shutdown,{failed_to_start_child,'Elixir.Pow.Sto
 9월 24 09:29:16 nohogu1 nohogu[4506]: [1B blob data]
 9월 24 09:29:16 nohogu1 nohogu[4506]: Crash dump is being written to: erl_crash.dump...done

config.ex

# Authentication
config :nohogu, :pow,
  user: Nohogu.Users.User,
  repo: Nohogu.Repo,
  web_module: NohoguWeb,
  web_mailer_module: NohoguWeb,
  mailer_backend: NohoguWeb.PowMailer,
	messages_backend: NohoguWeb.Pow.Messages,
	routes_backend: NohoguWeb.Pow.Routes,
	cache_store_backend: Pow.Store.Backend.MnesiaCache,
	session_store: {Pow.Store.CredentialsCache, ttl: :timer.minutes(60), namespace: "credentials"},
	session_ttl_renewal: :timer.minutes(30),
  extensions: [PowResetPassword, PowEmailConfirmation, PowPersistentSession],
  controller_callbacks: Pow.Extension.Phoenix.ControllerCallbacks

endpoint

  plug Plug.Session,
    store: :cookie,
    key: "_nohogu_key",
    signing_salt: "SOME_KEY"

  plug Pow.Plug.Session, otp_app: :nohogu

Hey Dan,

In the docs you mentioned that "the best way is to create and modify our own controllers". Can you provide some examples?

Should we copy/paste the controllers from pow/phoenix/controllers or import something? Maybe a snippet of custom routes could help too.

Context: I'm trying to implement pow in an app where registration should be closed/protected and users are created by something like an admin or a user already created. I want to document the process of the custom install/configuration of pow then I'll make a PR for the guides.

When a user submits a password that does not meet the minimum characters, they currently get the following message: "should be at least %{count} character(s)".

Ecto.Changeset.traverse_errors/2 can be used to insert the count into the error message. The example function in the docs specifically addresses this situation.

I'm not sure where the function to update the error message should be added, but it would improve the error messages to the user.

Hello. A logo is a good idea to improve the project. I can design it voluntarily. What dou you think?

How do we manually create a session given a user?

I was going through the readme trying things out and got the following error when I ran the command to generate the extension templates.

$ mix pow.extension.phoenix.gen.templates --extension PowResetPassword --extension PowEmailConfirmation
warning: found quoted keyword "test" but the quotes are not required. Note that keywords are always atoms, even when quoted, and quotes should only be used to introduce keywords with foreign characters in them
  mix.exs:62

* creating lib/my_app_web/views/pow_reset_password/reset_password_view.ex
** (ArgumentError) argument error
    :erlang.binary_to_existing_atom("edit", :utf8)
    (elixir) lib/string.ex:2169: String.to_existing_atom/1
    (elixir) lib/enum.ex:1314: Enum."-map/2-lists^map/1-0-"/2
    (elixir) lib/enum.ex:1314: Enum."-map/2-lists^map/1-0-"/2
    lib/mix/pow/phoenix.ex:59: Mix.Pow.Phoenix.create_templates/4
    (elixir) lib/enum.ex:765: Enum."-each/2-lists^foreach/1-0-"/2
    (elixir) lib/enum.ex:765: Enum.each/2
    (elixir) lib/enum.ex:765: Enum."-each/2-lists^foreach/1-0-"/2

What are the trade offs of using Postgres for session storage?

Hello!

I tried to follow the installation instructions: added pow to the dependencies, fetched the dependencies using mix deps.get, then executed the mix pow.install command, but got this error:

** (Mix) Could not load UserProfileManager.Repo, error: :nofile. Please configure your app accordingly or pass a repo with the -r option.

What could be the problem? My project is under an umbrella. The output from mix deps.get is this:

Running dependency resolution...
Dependency resolution completed:
cowboy 1.1.2
cowlib 1.0.2
decimal 1.5.0
ecto 2.2.11
file_system 0.2.6
gettext 0.16.0
mime 1.3.0
phoenix 1.3.4
phoenix_ecto 3.5.0
phoenix_html 2.12.0
phoenix_live_reload 1.1.7
phoenix_pubsub 1.1.0
plug 1.6.4
poison 3.1.0
poolboy 1.5.1
pow 1.0.0-rc.4
ranch 1.3.2
All dependencies up to date

I'm trying to i18n the flash messages in PowEmailConfirmation, by adding custom functions in messages backend module NohoguWeb.Pow.Message and add messages_backend: NohoguWeb.Pow.Messages, in config.exs.

But it looks not working well.

Here's the codes:

defmodule NohoguWeb.Pow.Messages do
  use Pow.Phoenix.Messages
  use Pow.Extension.Phoenix.Messages,
    extensions: [PowResetPassword, PowEmailConfirmation, PowPersistentSession]

  import NohoguWeb.Gettext

  def user_not_authenticated(_conn), do: gettext("You need to sign in to see this page.")

  def pow_reset_password_email_has_been_sent(_conn), do: IO.inspect dgettext("pow", "An email with reset instructions has been sent to you. Please check your inbox.")

  def email_has_been_confirmed(_conn), do: IO.inspect dgettext("pow", "The email address has been confirmed.")
  def email_confirmation_failed(_conn), do: dgettext("pow", "The email address couldn't be confirmed.")
  def email_confirmation_required(_conn), do: IO.inspect dgettext("pow", "You'll need to confirm your e-mail before you can sign in. An e-mail confirmation link has been sent to you.")
end

IO.inspect is to leave the logs, but they didn't appear in the console log.

Any idea?

I have a site (https://github.com/axelclark/golf) that has both an html frontend and a graphql api for a mobile app. I have the ResetPassword extension set up for html. I'm trying to enable a user to send the reset token email from their mobile app using graphql.

I'm trying to figure out which Pow.PasswordReset functions to use in my graphql resolver which acts like a controller. The problem is I don't have a conn with the config in it. I just have the user email from the params.

  def create_reset_token(_parent, %{email: email}, _resolution) do
    # Need to create the token and send the email
  end

Any suggestions on how to do this? I only want to enable the create action through graphql.

👋

• The credentials and session are renewed after 15 minutes if any activity is detected
• The credentials and session are renewed when user updates

Hi! Could you please point me to the code where these happen? I tried making a session cache backend backed by postgres, but it seems neither of the last two points work with it. Updating a user with both pow_user_id_field_changeset/2 and
pow_password_changeset/2 in the changeset doesn't make any calls to the session cache process, and no matter the activity, the users still get logged out after 30 minutes. I'm tracing the cache process and don't see any put calls to it being made by any pow module after the initial one -- only gets like this:

# 14:40:11 #PID<0.761.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache.get([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")

I made a fresh phoenix 1.4 install and followed steps in readme file of Pow to install it:

1. Added it as a dependency and made deps.get
2. Modifies config file
3. Modified Endpoint file
4. Modified Router file

Tried to go to the localhost:4000/registration/new in the browser but got the error:
no route found for GET /registration/new (HelloWeb.Router)

If I make a command mix phx.routes in the console it gives me:

     pow_session_path  GET     /session/new        Pow.Phoenix.SessionController :new
     pow_session_path  POST    /session            Pow.Phoenix.SessionController :create
     pow_session_path  DELETE  /session            Pow.Phoenix.SessionController :delete
pow_registration_path  GET     /registration/edit  Pow.Phoenix.RegistrationController :edit
pow_registration_path  GET     /registration/new   Pow.Phoenix.RegistrationController :new
pow_registration_path  POST    /registration       Pow.Phoenix.RegistrationController :create
pow_registration_path  PATCH   /registration       Pow.Phoenix.RegistrationController :update
                       PUT     /registration       Pow.Phoenix.RegistrationController :update
pow_registration_path  DELETE  /registration       Pow.Phoenix.RegistrationController :delete
            page_path  GET     /                   HelloWeb.PageController :card_index: 

I also tried to access /session/new in the browser but got the same error.
What is wrong with my install?

My router file looks like this:

defmodule HelloWeb.Router do
  use HelloWeb, :router
  use Pow.Phoenix.Router

  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_flash
    plug :protect_from_forgery
    plug :put_secure_browser_headers
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  scope "/" do
    pipe_through :browser

    pow_routes()
  end

  scope "/", HelloWeb do
    pipe_through :browser

    get "/", PageController, :index
  end

end

I wonder which is the better way to get total registered users count.

How about adding a function to return the count of total users?

1. Return the max id in users table.

• Fast but not precise.
• Not applicable except auto-increment id; ex. UUID.

2. Return the count of primary key in users table.

• Rather fast and precise.

For operation purpose, some managers can change the user's role. But when I tried using Pow.Operations.update/3, it passes through changeset in pow_changeset/2 which requires :current_password. Since the managers don't know other users' password, it blocks from updating fields like `:role'.

What's the better way to update :role for this situation?

It looks Pow.Operations.update/3 allows updating other users, but can't utilize it practically.

For those of us migrating from devise, we have encrypted_password as a field.

For most fields, I can do field :email, :string, [source: :other_field].

Think it would be possible to add in a config option for pow_fields() like pow_fields(password_hash: :encrypted_password?

We can get current active users from several places; phoenix channel, google analytics. But I think the real data can only get from credential store.

There's a similar fn Pow.Store.CredentialsCache.sessions/3, but this shows a list of sessions for a given user.

So, how about support fn which list up current active users? This is a fancy and unique fn, too!

There's a default setting of password_min_length: 10. And I'd like to redefine it to 8 because it's widely accepted. I don't want to bother or enforce the inconveniences to my users.

How can I redefine some default configurations like password_min_length? Adding password_min_length: 8 in the config.exs didn't work.

We are deploying to Heroku which as I understand doesn't support mnesia?
Can you use redis with pow for session storage?

I'm looking over the extension PowEmailConfirmation to find fn confirm! which is required in dev seed and tests.

And I found that this extension has a lot different style than Elixir de-facto standards two mainly;

1. PowEmailConfirmation.Plug - Plug only and should implement two functions init/1 and call/2. I believe this module is sufficient to be renamed PowEmailConfirmation to avoid conflict and excessive encapsulation. (This is applied to the other modules as well.)
2. Pow.UUID - I cannot find any reason to replace the Ecto.UUID or elixir_uuid. We don't need to reinvent the wheel.

I see that you are using PBKDF2-SHA512 for password hashing. Would you ever consider moving to Argon2?

Both :last_login_at and :last_login_ip attributes are useful when providing basic security protection.

Maybe :updated_at can be used in replace for :last_login_at though not proper. (for example, when user changed name or password).

In the readme of PowEmailConfirmation, manual email confirmation by setting up :email_confirmed_at is described.

But in my test seed it didn't work. I think :email_confirmed_at field is not casted in the changeset.

Seed codes are like this;

user_params = %{name: "na", email: "na@some_url.com", password: "abcd1234", confirm_password: "abcd1234", email_confirmed_at: DateTime.utc_now()}
{:ok, na_user} = Pow.Operations.create(user_params, otp_app: :myapp)

Fortunately, PowEmailConfirmation.Ecto.Context.confirm_email/2 is working as expected.

My user registration process is register -> confirm email -> Create Userinfo record when confirmed.

To implement Creating Userinfo record when confirmed three approaches were made.

First I tried modifying Ecto changeset. But it didn't work since id is available yet, prepare_changes can't access User's id field.

Next I tried using Callback routes.

def after_registration_path(conn) do
  # This returns nil
  current_user = Pow.Plug.current_user(conn)
  # This didn't work.
  Myapp.Generals.create_userinfo(%{user_id: current_user.id})
  Routes.page_path(conn, :index)
end

It didn't work. Simply because conn doesn't have :current_user as it's not email confirmed yet.

Last, I'm trying ControllerCallbacks now. Since I can access user there, it seems to be working there. But I can't figure out where and how to configure callbacks. So can you explain more in the readme?

At present controller_callbacks: Pow.Extension.Phoenix.ControllerCallbacks is set in config. But it won't touch my custom callbacks. I can't sure that it can be replaced with my custom callbacks.

When I run mix pow.extension.ecto.gen.migrations --extension PowResetPassword or just mix pow.extension.ecto.gen.migrations with the following in config/config.exs, my project compiles, but then the Ecto migrations aren't generated.

# config/config.exs
...
config :golf, :pow,
  user: Golf.Accounts.User,
  repo: Golf.Repo,
  extensions: [PowResetPassword, PowPersistentSession]

Here is my branch: https://github.com/axelclark/golf/tree/pow

I'm using

{:ecto_sql, "~> 3.0"},
{:pow, "~> 1.0.0"}

have you got an example project, a reference project, of Pow, Pow Assent and Phoenix Oauth2 Provider working together?

I am interested in an umbrella app scenario

Hi, great library!

Thanks to how configurable it is I've been able to use it in my app which is just an API. I'm trying to write tests for my SessionController and when POSTing valid credentials, it seems like the password_hash never gets generated. It works fine outside of the test which leads me to believe it might be a config I need to set somewhere... any idea what I might be missing?

Add two factor support to Pow with at least OTP and FIDO U2F support.

Good primer for ensuring secure and useful two factor setup: https://medium.com/@stuartschechter/before-you-turn-on-two-factor-authentication-27148cc5b9a1

Edit: Here's some security considerations: https://shahmeeramir.com/4-methods-to-bypass-two-factor-authentication-2b0075d9eb5f

MFA auth

• WebAuthn
• OTP/TOTP
• Recovery codes
• E-mail/magic link
• Device authorization (in app)

Process

In general the MFA authentication process will go like this:

User ID & password --> MFA authorization --> Signed in

OR as passwordless:

User ID --> MFA authorization --> Signed in

This latter option could also be all on the same page for some of the above methods. The MFA methods can also be used for the registration process.

There should be a controller action for handling 2FA auth, and probably one for handling registration with 2FA. Maybe one for managing 2FA methods.

WebAuthn links

https://webauthn.guide/
https://auth0.com/blog/web-authentication-webauthn-overview-demo-tool/

Suggested Ecto schema

There're two ways to go about this. Embedded or separate table. Separate table may make it easier to not require user id, but it could be that the user id should just be set to generated_id if developers wish to login without user id with a randomly generated id that will be stored with the authenticator.

field :type, :string
field :nickname, :string
field :settings, :map

WebAuthn use case

WebAuthn allows for no user id and can be used for single authentication.

The WebAuthn will store at minimum the following data:

{
  credential_id: "credential_id",
  cose_key: "cose_key"
}

For no user id setup, the user id used for the authenticator could be a randomly generated id that's stored in the authenticator schema.

TOTP use case

TOTP can only be used for 2FA. The data stored would be the following:

{
  issuer: "My Service",
  otp_secret: "secret",
  last_otp_at: "492039"
}

Version info:

Windows 10
Erlang/OTP 21 [erts-10.0.1] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1]
Elixir 1.7.3 (compiled with Erlang/OTP 19)
Phoenix v1.3.4

I'm following the getting started guide. Although the code examples look different now (likely due to using newer versions of Elixir and Phoenix), I think I have managed to set it up correctly.

When visiting http://localhost:4000/registration/new, I get the following error:

[error] #PID<0.394.0> running MyAppWeb.Endpoint (cowboy_protocol) terminated
Server: localhost:4000 (http)
Request: GET /registration/new
** (exit) an exception was raised:
    ** (Pow.Config.ConfigError) No :user configuration option found for user schema module.
        (pow) lib/pow/config.ex:55: Pow.Config.raise_error/1
        (pow) lib/pow/operations.ex:18: Pow.Operations.changeset/2
        (pow) lib/pow/phoenix/controllers/registration_controller.ex:15: Pow.Phoenix.RegistrationController.process_new/2
        (pow) lib/pow/phoenix/controllers/controller.ex:87: Pow.Phoenix.Controller.action/3
        (pow) lib/pow/phoenix/controllers/registration_controller.ex:1: Pow.Phoenix.RegistrationController.action/2
        (pow) lib/pow/phoenix/controllers/registration_controller.ex:1: Pow.Phoenix.RegistrationController.phoenix_controller_pipeline/2
        (my_app) lib/my_app_web/endpoint.ex:1: MyAppWeb.Endpoint.instrument/4
        (phoenix) lib/phoenix/router.ex:278: Phoenix.Router.__call__/1
        (my_app) lib/my_app_web/endpoint.ex:1: MyAppWeb.Endpoint.plug_builder_call/2
        (my_app) lib/plug/debugger.ex:122: MyAppWeb.Endpoint."call (overridable 3)"/2
        (my_app) lib/my_app_web/endpoint.ex:1: MyAppWeb.Endpoint.call/2
        (plug) lib/plug/adapters/cowboy/handler.ex:16: Plug.Adapters.Cowboy.Handler.upgrade/4
        (cowboy) c:/Code/my_app/deps/cowboy/src/cowboy_protocol.erl:442: :cowboy_protocol.execute/4

Contents of config.exs:

# This file is responsible for configuring your application
# and its dependencies with the aid of the Mix.Config module.
#
# This configuration file is loaded before any dependency and
# is restricted to this project.
use Mix.Config

# General application configuration
config :my_app, :pow,
  user: MyApp.Users.User,
  ecto_repos: [MyApp.Repo] # Notice that this is different from the getting started guide

# Configures the endpoint
config :my_app, MyAppWeb.Endpoint,
  url: [host: "localhost"],
  secret_key_base: "my_secret",
  render_errors: [view: MyAppWeb.ErrorView, accepts: ~w(html json)],
  pubsub: [name: MyApp.PubSub,
           adapter: Phoenix.PubSub.PG2]

# Configures Elixir's Logger
config :logger, :console,
  format: "$time $metadata[$level] $message\n",
  metadata: [:user_id]

# Import environment specific config. This must remain at the bottom
# of this file so it overrides the configuration defined above.
import_config "#{Mix.env}.exs"

Output of mix ecto.setup:

warning: could not find Ecto repos in any of the apps: [:my_app].

You can avoid this warning by passing the -r flag or by setting the
repositories managed by those applications in your config/config.exs:

    config :my_app, ecto_repos: [...]

warning: could not find Ecto repos in any of the apps: [:my_app].

You can avoid this warning by passing the -r flag or by setting the
repositories managed by those applications in your config/config.exs:

    config :my_app, ecto_repos: [...]

I'm investigating this now; trying to find the cause. If/when I figure it out, I will update this issue. Figured I'd post it here, in case other beginners encounter the same issue in the future.

https://github.com/danschultzer/pow/blob/fcc6d45b4fce6ec8093514a71ca68abae0536ea9/lib/pow/ecto/schema.ex#L176

When a new user adds a space at the end of their email, they will get a format error in the form. The error isn't obvious and may cause confusion.

Consider adding String.trim/1 in addition to String.downcase/1 to the Pow.Ecto.Schema.normalize_user_id_field_value/1 function.

There seems two (or more?) places to configure credential TTL; Pow.Plug.Session and Pow.Store.Base.

Where can I set up the credential TTL?

There are some email templates types of html and text. At first I followed document guide, but it didn't work.

Mine is currently providing both English and Korean and going to add some Asian languages soon.

If you're busy then I can make PR. (I don't fully understand pow yet.)

Hi!

I wonder if there are any additional changes required to make custom controllers work with extensions like persistent session plug.

However, to make it easier to integrate extension, you can add callbacks to the controllers that do some light pre/post-processing of the request:

From https://github.com/danschultzer/pow#phoenix-controllers, seems to imply that using custom controllers breaks Pow.Extension.Phoenix.ControllerCallbacks, that is, there are no traces of any function in Pow.Extension.Phoenix.ControllerCallbacks being called during login/logout when using custom controllers.

Ok forgive me, totally new at Phoenix and app dev in general so the obvious is not very obvious.

I have an Umbrella app with a db elixir app managing my repo.

I do not understand the ELixir/Phoenix relationship well enough yet and suffer major OCD - I am using Phoenix apps in my umbrella for an admin UI and my REST API and understand the sorta the need for 2 folders in a Phoenix app lib for App(business logic) and App_Web (presentation). Where my OCD kicks in overdrive is having to use a Phoenix app in my umbrella for an app that does not require a UI and therefore that App_Web folder Phoenix provides.

In my mind, Auth (POW) supports access through the phoenix rest api app to the business logic in all my umbrella apps and should stand alone. So I am trying to setup POW as an Elixir only app in the umbrella with mix new auth --module Auth --sup. I do not want Auth to be a Phoenix app that requires me to stare at the damn App-Web folder all day.

Maybe (likely) I am just plain wrong and do not get it yet.

In any case, reading what I can find in DuckDuckGo about POW and of course your git repo you mention using a plug instead of Phoenix but sadly only provide a getting started with a Phoenix app.

Can you help a brother out and provide an example of using POW in an umbrella Elixir app using a Plug? I am going to keep digging and will probably hack it out but will likely be wrong, wrong, wrong.

FWIW I am also using Triplex (multi-tenant by schema) in my elixir dbapp and have the following umbrella setup I am reasoning through:

• accounts: (Elixir app managing business logic for all accounts ie Persons, Companies, Patients, Doctors - Triplex tenant logic lives here)
• api_rest: (Phoenix app manages api connections)
• api_graphql (Phoenix/Absinthe app manages gql connections)
• auth (Elixir app manages all authentication using POW I hope)
• db (Elixir app managing migrations and schemas for all persisted entities)
• inventory (Elixir app managing the business logic for inventory control)
• ... (other Elixir apps managing the different business contexts in my app)

Thanks in advance for any help, updates or references to anything that may help me get on track...

Is there a way to make current password optional when riding user?