Comments (2)
dsignr
commented on June 2, 2024
@riverrun David, here's how I use refresh tokens right now w/ Phauxth. This file resides in my controllers folder inside API/auth. Maybe you can just add this to the generator for the API with slight changes:
defmodule XYZWeb.API.Auth.Token do
@moduledoc """
Custom token implementation using Phauxth.Token behaviour and Phoenix Token.
"""
@behaviour Phauxth.Token
alias Phoenix.Token
alias XYZWeb.Endpoint
@access_token_max_age 259200 #3 days
@refresh_token_max_age 31536000 # 1 year
@access_token_salt "ABC" # change this to a proper salt if you don't want to get pwned
@refresh_token_salt "DEF" # change this to a proper salt if you don't want to get pwned
def max_age(token_type \\ :access_token) do
case token_type do
:refresh_token -> @refresh_token_max_age
_ -> @access_token_max_age
end
end
@impl true
def sign(data) do
Token.sign(Endpoint, @access_token_salt, data, [])
end
# @impl true
# Max age not supported for signing
def sign(data, opts \\ [], token_type \\ :access_token) do
case token_type do
:access_token -> Token.sign(Endpoint, @access_token_salt, data, opts)
:refresh_token -> Token.sign(Endpoint, @refresh_token_salt, data, opts)
end
end
defp updated_opts(opts, new_max_age) do
{_, new_opts} = Keyword.get_and_update(opts, :max_age, fn current_max_age ->
{current_max_age, new_max_age}
end)
new_opts
end
# @impl true
def verify(token, opts \\ [], token_type \\ :access_token) do
case token_type do
:access_token -> Token.verify(Endpoint, @access_token_salt, token, updated_opts(opts, @access_token_max_age))
:refresh_token -> Token.verify(Endpoint, @refresh_token_salt, token, updated_opts(opts, @refresh_token_max_age))
end
end
endfrom phauxth.
dsignr
commented on June 2, 2024
So a brief explanation of how I use the above. When access token expires, the client will send the refresh token as a Bearer token in the API call, if it's valid, my endpoint will generate a new access token which will be cached on the mobile app or wherever I'm consuming it. One thing to add here is refresh tokens should ONLY be generated once during the lifetime of a user using your app for maximum security. So, maybe the very first time they sign up or when they resent their account. It's a security violation if you keep generating a refresh token upon every renewal request. Only generate an access token for renew endpoints. Cheers.
from phauxth.
Related Issues (20)
- Error with absinthe (Phoenix 1.4 and Phaux 2.0) HOT 1
- [FEATURE] Customizable max_age in tokens used by Remember HOT 5
- [BUG] Token generated later to same user can't work properly HOT 5
- Thanks for your hard work for 2.0 HOT 4
- [BUG] Argon 2 error - function depreciation leads to 500 HOT 8
- seeds.exs from wiki HOT 3
- [FEATURE] phauxth for umbrella apps HOT 6
- [BUG] Sessions are never validated by default HOT 6
- [FEATURE] Allow specifying domain for remember cookie HOT 4
- [BUG] Remember cookie doesn't last full time HOT 6
- Confusion over Phauxth.Remember :max_age HOT 1
- authenticate callback arity for token cookie module is incorrect HOT 2
- Working on Phoenix Liveview HOT 4
- [FEATURE] Create 'Phauxth.Remember.Base' module HOT 2
- [FEATURE] Too Many Login Attempts HOT 1
- [BUG] Can't download archive install HOT 4
- Wiki documentation update proposition HOT 1
- Generate both API and HTML
- change http://localhost:4000/sessions/new from text_input to password_input HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from phauxth.