One of the interesting things about the Elixir/Phoenix community is that building your own authentication system seems to be encouraged. Even if you're using one of the plugs available (guardian?) you still have to do a ton of manual lifting.
It really depends what you are going for. There are libraries out there that are pluggable for lots of different auth mechanisms like https://github.com/ueberauth/ueberauth
This seems to be the case in many places outside of Rails. I know that Clojure, at least, seems to encourage implementing things yourself by way of leveraging smaller libraries and modules.
Auth is genuinely hard, and turnkey solutions often aren't enough.
Auth is genuinely hard, and a hand-rolled solution's definitely not enough...
Given the massive attack surface for a web application, it's absurd to think someone could (or should*) develop an entire auth framework from scratch for all their projects. Turnkey solutions, like Ruby's Devise, are a godsend. Even in situations were a custom flow was needed, it's saved both me and my clients hundreds of hours.
In addition, I benefit from the community around a turnkey solution. Think of all the years the software has been tested by in umpteen production environments. Think of all the people that have an eye on the code and report security flaws while you sleep. Your custom session management implementation will never have that benefit.
Also, why the hell are you building auth when you could be building app? Is that really such a critical experiential part of your app that you can't possibly rely on something turnkey and then move on to the features that actually matter?
All of what you say is true but I feel important details are lost.
Elixir's Phoenix framework has very good plugins -- like Guardian -- that give you 95% of the tools you might need for your own security solution and you can assemble it together in 15-60 minutes (this of course assumes your security model isn't wildly different than what the various plugins support). You have separate Plugs -- think of them as pipes of sort -- who handle cookie session management, another that handles JWT tokens, HTTP basic auth etc.
The only thing you must do is to assemble such pieces in a code module that basically serves as a pipeline with several Plugs (pipes) connected in the order you deem appropriate for the security model of your app. Any of these Plugs can modify or remove headers or tokens, can consult a 3rd party system (say, for single sign-on), can provide throttling, temporarily lock out an account that made too many invalid login attempts, can refuse a session due to non-whitelisted IP, etc. etc.
So no, you're not inventing cookie session management or anything there. You simply have control on which security mechanisms -- and when, and at which conditions -- happen on request.
Let's not also forget that lots of projects people are using Phoenix for are APIs (either for mobile apps or single page web applications). Because of that, it makes sense to glue together smaller libs to match your house style for how you want that auth contract to work.
Can confirm. Currently working on several Elixir API apps, they are absolute joy to work on and you get tons of freedom on how exactly to structure them.
The "cruft" from the Phoenix framework is absolutely minimal -- mandatory 4-6 files per project at the most. And they're quite small, too.
