Check UIDs instead of auth tokens #22
Conversation
| else | ||
| {:error, :token_mismatch} | ||
| end | ||
| authorization -> authorization |
There was a problem hiding this comment.
if authorization is found using UID and provider we simply return it without checking the tokens. Token checks prevents users from logging out and then logging back again, because tokens change between authorizations.
There was a problem hiding this comment.
What happens in this case though? We have an authorization that represents 'google' for user x. If the token is different it's still the same record correct? We would just need to update the token provided (I think)
There was a problem hiding this comment.
@hassox I would put it somewhere in between here https://github.com/hassox/phoenix_guardian/blob/ueberauth-guardian/web/auth/user_from_auth.ex#L11
After everything when throw without any problem with the user or the authorization. We check if the token is different (I don't know the correlation with expires_at) and save the newest token so we keep the latest token in our end.
Make sense?
Fix for issue #12