Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Working on Phoenix Liveview #115

Open
9to1url opened this issue Feb 27, 2020 · 4 comments
Open

Working on Phoenix Liveview #115

9to1url opened this issue Feb 27, 2020 · 4 comments
Assignees
@riverrun
Labels
enhancement

Comments

@9to1url
Copy link

9to1url commented Feb 27, 2020

Problem

Tried to use on Liveview websocket, but not working

Solution

Need to work on Liveview

Additional info

Looks like not able to compile:
defmodule HelloWeb.UserLive.Index do
use Phoenix.LiveView

lib/hello_web/live/user_live/index.ex:11: undefined function plug/1
@riverrun
Copy link
Owner

riverrun commented Mar 5, 2020

First of all, sorry about the delay in getting back to you - I haven't felt well recently.

About the undefined function plug/1 error, if you import Plug.Conn, that should solve that problem. However, I am not sure how liveview works, and so I don't know how often, or if, the plug function will be run.

@karolsluszniak
Copy link

Just FYI, I had no problem making Phauxth work with LiveView using the following "helper" module:

defmodule PlaygroundWeb.Auth.Live do
  @moduledoc """
  Provides authenticated user to live views.

  ## Usage

      defmodule PlaygroundWeb.HomeLive do
        use PlaygroundWeb, :live
        import PlaygroundWeb.Auth.Live

        def mount(_params, session, socket) do
          socket = put_current_user(socket, session)

          # ...
        end

  """

  def get_current_user(session) do
    with {:ok, session_id} <- Map.fetch(session, "phauxth_session_id"),
         user = %{} <- Playground.Accounts.get_by(%{"session_id" => session_id}) do
      user
    else
      _ -> nil
    end
  end

  def put_current_user(socket, session) do
    Phoenix.LiveView.assign(socket, current_user: get_current_user(session))
  end
end

My concern here in context of long-lived live view sessions is that this solution is affected by session expiration after the @max_age from Session passes. This is not live view's flaw per se as regular HTTP routes do the same - it simply seems there's no "session renewal" mechanism built into Phauxth.Authenticate.

@riverrun From your perspective, how this should be approached both in context of regular HTTP requests and long-lived live views? I saw #38 for API tokens so I'm wondering if the solution would be similar for sessions e.g. to add HTTP plug after Phauxth.Authenticate that renews the session when it's about to expire - not too often of course e.g. when we've 1 hour left in the session. In such case, if we'd bump expires_at in existing Session record instead of deleting & inserting it, live view would always have an up-to-date phauxth_session_id. Is there a downside or security hole in here?

@9to1url
Copy link
Author

9to1url commented May 1, 2020

I think more and more clear is many apps moving to LiveView direction, LiveView support is mandatory now. Please implement. Also Phx 1.5 out. thanks!!!

@dsignr
Copy link

dsignr commented May 7, 2021

Just FYI, I had no problem making Phauxth work with LiveView using the following "helper" module:

defmodule PlaygroundWeb.Auth.Live do
  @moduledoc """
  Provides authenticated user to live views.

  ## Usage

      defmodule PlaygroundWeb.HomeLive do
        use PlaygroundWeb, :live
        import PlaygroundWeb.Auth.Live

        def mount(_params, session, socket) do
          socket = put_current_user(socket, session)

          # ...
        end

  """

  def get_current_user(session) do
    with {:ok, session_id} <- Map.fetch(session, "phauxth_session_id"),
         user = %{} <- Playground.Accounts.get_by(%{"session_id" => session_id}) do
      user
    else
      _ -> nil
    end
  end

  def put_current_user(socket, session) do
    Phoenix.LiveView.assign(socket, current_user: get_current_user(session))
  end
end

My concern here in context of long-lived live view sessions is that this solution is affected by session expiration after the @max_age from Session passes. This is not live view's flaw per se as regular HTTP routes do the same - it simply seems there's no "session renewal" mechanism built into Phauxth.Authenticate.

@riverrun From your perspective, how this should be approached both in context of regular HTTP requests and long-lived live views? I saw #38 for API tokens so I'm wondering if the solution would be similar for sessions e.g. to add HTTP plug after Phauxth.Authenticate that renews the session when it's about to expire - not too often of course e.g. when we've 1 hour left in the session. In such case, if we'd bump expires_at in existing Session record instead of deleting & inserting it, live view would always have an up-to-date phauxth_session_id. Is there a downside or security hole in here?

A simpler solution that I would just try is redirect the user to the login page post expiry notice from the authenticate function. If your application requires long lived sessions, then the right way is probably to increase the expiry of the session itself. That's how I would do it anyway, just my $0.02. Hence, I think if we just use your helper and have authenticate redirect to login post expiry would close this issue IMO.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@riverrun riverrun

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@riverrun @karolsluszniak @dsignr @9to1url