
Basic HTTP Authentication in Elixir/Phoenix - pplonski86
http://nts.strzibny.name/basic-http-authentication-in-elixir-phoenix/
======
softwarelimits
This is the lesson to learn from Elixir/Phoenix and every web framewrok that
does not come with a strong security concept: if you do not build solid
authentication and authorization into the framework from the ground up, there
will pop up bazillions of half-baked libraries and even more blog posts about
how to do auth "the right way" and still there will never be the right way as
long as the framework does not implement this.

Many eyes on security relevant code is one of the most important reasons for
using open source frameworks for web development - so it is very unfortunate
if exactly this part is missing, it will always look incomplete.

Of course this leaves room for professional services, I understand that, but I
believe the damage done is greater than the opportunities generated. The
current situation for "Phoenix auth libraries" is horrible - as a developer
you will

    
    
      * waste a lot of time researching and testing all the available solutions
      * or just take one "random solution from the internet" that "looks good enough" 
      * or you will just implement another solution yourself.
    

Instead you want to build on the solution that is provided and maintained by
the core framework community.

This is such a sad story. Elixir / Phoenix looks so nice, but without a strong
security foundation it looks incomplete. Authorization and Authentication is
not even mentioned in the docs - that is absurd!

I simply can not understand why the project leaders are ignoring this
important area.

~~~
impostir
I am just learning coding for the web. Security is something that is clearly
important, but I am unsure on a lot of specifics. Do you have any suggestions
for a beginner?

~~~
sansnomme
Learn how basic user registration to login workflow works. I.e. user sign-up
-> password hashing -> confirmation email etc. There are also "alternative"
methods such as medium-style "email a login link" style logins and also stuff
like OAuth. Stick with large frameworks and libraries; Rails, Omniauth and
Devise, Django comes with Auth built-in. Avoid Auth frameworks which doesn't
build upon its built-in systems. Learn the difference between authorization
and authentication. DO NOT ATTEMPT TO ROLL YOUR OWN AUTH FOR PRODUCTION. A lot
of concepts regarding Auth are simple in theory but if you have a poor grasp
of the implementation language or the authentication protocol, you are going
to introduce vulnerabilities. Stick to boring battle-tested stuff. Yes that
means you should avoid the latest-web-framework-of-the-week-that-
doesn't-include-auth when it comes to anything you want to push into
production. Keep everything behind TLS if possible (Let's Encrypt et al. are
free) and if you don't understand something, don't use it. If JWTs doesn't
make sense to you, avoid it and stick with traditional sessions. Your SPA
works perfectly fine using traditional server-side sessions and encrypted
cookies without the latest hip protocol implemented by a 3rd party API
gateway. Don't trust security advice from random people over the internet
without doing your own research. Here is some good reading material:

[https://latacora.micro.blog/2018/06/12/a-childs-
garden.html](https://latacora.micro.blog/2018/06/12/a-childs-garden.html)

[https://latacora.micro.blog/2018/04/03/cryptographic-
right-a...](https://latacora.micro.blog/2018/04/03/cryptographic-right-
answers.html)

~~~
sansnomme
*server-side sessions with CSRF

------
p1mrx
Isn't it a bit irresponsible to write a guide for people who don't know how
basic authentication works, without mentioning that it's critical to HTTPS-
encrypt the message?

Base64 "looks" pretty secure if you're not paying attention.

------
lobo_tuerto
If interested in a session (cookie) based approach, give this one a try:

[https://lobotuerto.com/blog/building-a-json-api-in-elixir-
wi...](https://lobotuerto.com/blog/building-a-json-api-in-elixir-with-
phoenix/)

~~~
scrozart
Hi! At the beginning of this section you state 'Let’s add some functions to
the lib/my_app/auth/auth.ex file to verify a user’s password', but
lib/my_app/auth/auth.ex was never created in the previous sections of the
tutorial. Please indicate if it needs to be created, or if it's creation is
done somewhere else. Thanks!

------
lprd
I keep hearing things about Phoenix (specifically LiveView) and I am very
interested in Elixir. Whats the learning curve look like for someone who's
primarily a Javascript (with a little bit of PHP/Laravel) developer? Is it a
purely functional language?

~~~
anthony_doan
> Whats the learning curve look like for someone who's primarily a Javascript
> (with a little bit of PHP/Laravel) developer?

Really depend how much of a language junkie you are.

I came from old school javascript and php and did mostly functional javascript
(closure, high order function, etc...). I did other languages too but php &
javascript was my primary. It's moderate not a very complex language but the
paradigm can be a little bit high. The creator kept the language nice and
small imo.

You can get away with half of it if you're just doing phoenix and ignore OTP
(process, concurrecy stuff). You can learn OTP later.

> Is it a purely functional language?

Very close to pure.

There is no for loop. If you want to loop you have to do recursion.

You don't have to loop much because there are comprehensions and generators.

You don't use closure or anything that fancy unless you want to. I think the
most is higher order function and those functional stuff like map, reduce,
etc... It's not bad because you can google those things to get what you want.
I think learning how to pipe |> a lot of stuff and pattern matching is what
you really need mostly.

Reason I said very close is because it's pragmatic like Python where not
everything is an object. You can invoke len() function without it being a
method to an object. The example most Erlang tutorial will give being
pragmatic is the time function how the time function isn't Referential
transparency. Also so other fancy missing functional stuff from Haskell that
some people asked for in elixir forum but I don't understand.

------
keithnoizu
Mhhm I use JWTs with the Guardian library.
[https://github.com/ueberauth/guardian](https://github.com/ueberauth/guardian)

Including some custom stuff to handle firebase auth tokens on one project.

~~~
anthony_doan
I think JWTs are useful for web services. For web applications I think JWT is
a terrible idea. Pow library is really awesome for web application
authentication.

~~~
keithnoizu
Nice, I'll give it a spin.

