Replace "remember me" once guardian 1.1.0 is released

[obrok]

We have a custom implementation of remember me:

https://github.com/Aircloak/aircloak/blob/master/air/lib/air_web/plugs/session.ex#L99 https://github.com/Aircloak/aircloak/blob/master/central/lib/central_web/plugs/session.ex#L19

Once guardian 1.1.0 is released we should just use their implementation, see https://github.com/ueberauth/guardian/blob/master/lib/guardian/plug/verify_cookie.ex#L2 and https://github.com/ueberauth/guardian#basics

[obrok]

It's unclear to me how to properly clear the remember me when signing out. See https://github.com/ueberauth/guardian/issues/507

[sebastian]

Looking at the discussion you linked to from the issue you referenced above it seems they are setting some cookie flags that make the cookies only be transmitted when HTTPS is used. What does this mean for our system when it’s used with plain HTTP? Will remember me be broken? Or will auth in general be broken?

[obrok]

Not sure... It does seem to work on localhost

[obrok]

Or will auth in general be broken?

Seems like if you're logging in via https secure will be set to true, and false otherwise. See https://github.com/ueberauth/guardian/pull/419#issuecomment-353679374 and https://hexdocs.pm/plug/Plug.Conn.html#put_resp_cookie/4

[sebastian]

Guardian 1.1.0 has now been released. This issue is ready to be tackled.

[obrok]

I started on this, but run into the following problem: https://github.com/ueberauth/guardian/issues/507. The team over at guardian have not responded yet, and I'm unsure on how to proceed.

[obrok]

The guardian team seem to have taken my feature request, but they have a long turnaround time. I'll just wait patiently until they release another version.