Closed njwest closed 3 years ago
Hi @njwest! It is not a problem to put it in the connection. After all, the connection has other confidential information, such as secret_key_base and similar. The reason that's ok is because the connection only lives during the scope of the request and is discarded afterwards. It is not shared with the client nor anything else.
However, there is nothing wrong with your changes either. So it is up to you!
Thanks, @josevalim ! My main concern is a developer not realizing that there is sensitive info in conn.assigns[:current_user]
and irresponsibly passing the entire current_user record to the frontend, but I suppose it is up to the developer to code responsibly
Thanks for this really great, robust auth solution generator! Am loving using it for Phoenix session auth.
I am a bit uneasy with how the default auth behavior assigns
hashed_password
toconn
inUserAuth
'sfetch_current_user
function, viaverify_session_token_query/1
(~/lib/my_app/accounts/user_token.ex
):I'm removing this in my own codebase by just selecting what I need from the user record in
verify_session_token_query
: