GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ianwalter → bouncer

ianwalter / bouncer

Licence: other
Token-based authorization and session management for Phoenix (Elixir)

Programming Languages

elixir
2628 projects

Labels

phoenixauthorization

Projects that are alternatives of or similar to bouncer

Pow
Robust, modular, and extendable user authentication system
Stars: ✭ 1,213 (+4392.59%)
Mutual labels:  phoenix, authorization
Bodyguard
Simple authorization conventions for Phoenix apps
Stars: ✭ 523 (+1837.04%)
Mutual labels:  phoenix, authorization
keeper
Flexible and Simple authentication solution for Phoenix
Stars: ✭ 27 (+0%)
Mutual labels:  phoenix, authorization
Authex
Authex is an opinionated JWT authentication and authorization library for Elixir.
Stars: ✭ 73 (+170.37%)
Mutual labels:  phoenix, authorization
Sphinx
Authorization library for Phoenix web framework
Stars: ✭ 19 (-29.63%)
Mutual labels:  phoenix, authorization
authorizer
Your data, your control. Fully open source, authentication and authorization. No lock-ins. Deployment in Railway in 120 seconds || Spin a docker image as a micro-service in your infra. Built in login page and Admin panel out of the box.
Stars: ✭ 770 (+2751.85%)
Mutual labels:  authorization
active admin role
Role based authorization with CanCanCan for Active Admin
Stars: ✭ 53 (+96.3%)
Mutual labels:  authorization
pan
The podcast showcase & community / Phoenix based web application
Stars: ✭ 31 (+14.81%)
Mutual labels:  phoenix
pinterest-backend
Pinterest Clone Backend in Phoenix Framework
Stars: ✭ 19 (-29.63%)
Mutual labels:  phoenix
django-letsagree
A Django application that associates Groups with Terms requiring consent from logged in members.
Stars: ✭ 12 (-55.56%)
Mutual labels:  authorization
kibana-multitenant-proxy
A proxy behind nginx while before kibana (4.x, 5.x) to provide data isolation for different users
Stars: ✭ 25 (-7.41%)
Mutual labels:  authorization
phoenix-liveview-15m.twitter
Based on the "real-time Twitter clone in 15 minutes with LiveView and Phoenix", from Chris McCord
Stars: ✭ 40 (+48.15%)
Mutual labels:  phoenix
artemis platform
Enterprise Ready Patterns for Elixir and Phoenix
Stars: ✭ 17 (-37.04%)
Mutual labels:  phoenix
aarbac
An Automated Role Based Access Control .NET framework with T-SQL Query Parser which automatically parse select, insert, update, delete queries based on the logged in user role
Stars: ✭ 18 (-33.33%)
Mutual labels:  authorization
MovieGo
A Website implemented using MERN (MongoDB, ExpressJS, ReactJS and NodeJS) stack, which allows users to sign-in/register and book movie tickets online.
Stars: ✭ 26 (-3.7%)
Mutual labels:  authorization
prometheus-phoenix
Prometheus.io Phoenix instrumenter
Stars: ✭ 66 (+144.44%)
Mutual labels:  phoenix
authorize-me
Authorization with social networks
Stars: ✭ 44 (+62.96%)
Mutual labels:  authorization
django-cancan
🔓Authorization library for Django
Stars: ✭ 36 (+33.33%)
Mutual labels:  authorization
embedchat
A growth hacking service that you can live chat with visitors on your website
Stars: ✭ 23 (-14.81%)
Mutual labels:  phoenix
multipong
A multiplayer Pong game using Elm, Phoenix and GenServer
Stars: ✭ 15 (-44.44%)
Mutual labels:  phoenix
View All Similar Projects ➔

Bouncer (beta)

Token-based authorization and session management for Phoenix (Elixir)

Hex Version

Why

I needed a way to authorize API requests to my Phoenix application. Addict didn't fit the bill since it uses Phoenix's built-in session system. Phoenix uses cookies to authorize requests but when dealing with an API, it's easier to deal with an Authorization header. Phoenix's session system also uses memory or ETS to store session data and this wouldn't work for my application which would be scaled horizontally and so would be running on multiple machines. Redis is great at solving this problem because it's crazy-fast and can be accessed by multiple machines. The ecosystem around Redis is strong so working with the session data is pretty easy.

Guardian also wouldn’t work because it uses JSON Web Tokens (JWT) as the basis for it’s authorization scheme. JWTs can work but I don’t believe it’s a better system than the traditional session-based system. JWTs don't provide a way of immediately invalidating user sessions instead relying on short token lifetimes. The ability to immediately invalidate a session is a feature that I find useful in certain situations (i.e. when a user resets their password).

Features

  • Creating a session returns a token that can be used in the authorization header of each API request.
  • Backed by Redis so it's able to be used in a multi-server or multi-container environment without configuring sticky sessions. Also, Redis is pretty fast.
  • Simple API to create, update, and destroy session data.
  • Simple API to generate, verify, and regenerate email verification or password reset tokens.

Installation

Bouncer is available in Hex, the package can be installed as:

  1. Add bouncer to your list of dependencies in mix.exs:
```elixir
def deps do
  [{:bouncer, "~> 0.3.0"}]
end
```
  1. Ensure bouncer is started before your application:
```elixir
def application do
  [applications: [:bouncer]]
end
```

Requirements & Configuration

Bouncer requires the Phoenix framework because it uses it's Token module to generate tokens that are used both as an Authorization header and a session key. Despite this requirement, I imagine it could be used with any Plug-based framework. Bouncer provides a plug that can be used to authorize a request for certain controllers and/or controller actions:

# This would be added near the top of a UserController for example
plug Bouncer.Plugs.Authorize when action in [:show, :update, :delete]

Bouncer only has one session store adapter so far: Redis. Bouncer uses the fantastic Redix library to interface with Redis and we've added a module called Bouncer.RedixPool that will pool connections to Redis. Here's what you would put in your environment's configuration file:

# config/dev.exs
config :bouncer,
  adapter: Bouncer.Adapters.Redis,
  redis: "redis://somehost:6379/1"

The second configuration option, redis, is not necessary if your Redis instance is on localhost and using the default port. You might want to specify a different database (i.e. redis://localhost:6379/2) in your test configuration file.

Documentation

The source is really small so reading through it should be straight-forward but the full package documentation is available at https://hexdocs.pm/bouncer.

Example of a SessionController

Here's and example of how you can use the Bouncer.Session API in your application:

# web/controllers/session_controller.ex
defmodule MyApp.SessionController do
  use MyApp.Web, :controller

  alias MyApp.User
  alias MyApp.UserView
  alias Bouncer.Session
  alias Comeonin.Bcrypt

  plug Bouncer.Plugs.Authorize when action in [:delete]

  def create(conn, %{"user" => user_params}) do
    case Repo.get_by(User, %{username: user_params["username"]}) do
      nil ->
        Bcrypt.dummy_checkpw()
        send_resp(conn, :bad_request, "")

      user ->
        if Bcrypt.checkpw(user_params["password"], user.encrypted_password) do
          user_map = User.to_map(user, true)
          {:ok, token} = Session.generate(conn, user_map)

          conn
          |> put_status(:created)
          |> render("create.json", %{user: user_map, token: token})
        else
          send_resp(conn, :bad_request, "")
        end
    end
  end

  def delete conn, _params do
    if user = conn.private.current_user do
      case Session.destroy conn.private.auth_token, user["id"] do
        {:ok, _} -> send_resp conn, :no_content, ""
        _ -> send_resp conn, :bad_request, ""
      end
    else
      send_resp conn, :unauthorized, ""
    end
  end
end
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].