Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The beautiful thing about Phoenix framework is that there is no "one-true way" to do things. Rails is omakase, Phoenix is not, and that's a good thing.

You want the whole enchilada? Use Guardian.

Need oauth? Use ueberauth.

Just want email and password? Use comeonin to hash your password.

It's liberating to know exactly how your system works and that it's not hidden behind some magical blackbox like Devise.



A blackbox is not what I was asking for. I would be happy to find the features you described (and many more) in one (extensible) place like e.g. Phoenix.Security.


The problem with that approach is that imagine if Phoenix had a Phoenix.Security.sign_in function. How do you want to sign in?

With a cookie?

With a server-side session?

With a database session?

With an authentication token GET params?

With an authentication token in the header?

You make the choices for your specific use case and implement them using laser-focused, great packages. One system I built authenticates with an `authenticationToken` GET params, I look for that in a Plug, then assign the current_user to the conn object.

For non-api requests, I use plain old sessions.


For me the sweet spot is somewhere in between. If it just shipped with a decent auth module that would work for 90% of people, but that could also be easily replaced or extended if needed, that would be the best of both worlds.


Even rails doesn't ship with an auth module though. Lots of people use Devise and there is an equivalent for Elixir (Coherence)...but shipping with auth built in is an exploit waiting to happen IMO.


Rails ships with an auth module: http://api.rubyonrails.org/classes/ActiveModel/SecurePasswor...


has_secure_password is not an "auth module". That's simply a handy function to handle a password attribute... which an actual auth module can make use of if it desired.


My mistake. :) was that added in 5?

Am I reading that right or is it just comparing an unencrypted string to the encrypted version?


It was added in 3.1 (http://guides.rubyonrails.org/3_1_release_notes.html) and uses bcrypt under the hood.


Laravel does, and their more batteries included approach is nice in my opinion


Guardian is annoying to setup but works for me. I just want something that generates JWT and takes a JWT.


I've been using Joken for that (JWT), just finished writing up some code that integrates with Auth0 and pulls in the signing certificate from the auth0 domain (.well-known/jwks.json).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: