search

phoenixframework / phoenix_live_view

Rich, real-time user experiences with server-rendered HTML
https://hex.pm/packages/phoenix_live_view
MIT License
6.23k stars 934 forks source link

Phoenix live view generators don't play well with auth #3520

Closed lifeiscontent closed 3 days ago

lifeiscontent commented 1 week ago

Environment

Actual behavior

running:

mix phx.gen.auth Accounts User users
mix phx.gen.live Content Article articles title:string slug:string:unique description:string body:text author_id:references:users

router.ex

defmodule RealworldWeb.Router do
  use RealworldWeb, :router

  import RealworldWeb.UserAuth

  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_live_flash
    plug :put_root_layout, html: {RealworldWeb.Layouts, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug :fetch_current_user
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  scope "/", RealworldWeb do
    pipe_through :browser

    live "/", ArticleLive.Index, :index
    live "/articles/:id", ArticleLive.Show, :show
  end

  # Other scopes may use custom stacks.
  # scope "/api", RealworldWeb do
  #   pipe_through :api
  # end

  # Enable LiveDashboard and Swoosh mailbox preview in development
  if Application.compile_env(:realworld, :dev_routes) do
    # If you want to use the LiveDashboard in production, you should put
    # it behind authentication and allow only admins to access it.
    # If your application does not have an admins-only section yet,
    # you can use Plug.BasicAuth to set up some basic authentication
    # as long as you are also using SSL (which you should anyway).
    import Phoenix.LiveDashboard.Router

    scope "/dev" do
      pipe_through :browser

      live_dashboard "/dashboard", metrics: RealworldWeb.Telemetry
      forward "/mailbox", Plug.Swoosh.MailboxPreview
    end
  end

  ## Authentication routes

  scope "/", RealworldWeb do
    pipe_through [:browser, :redirect_if_user_is_authenticated]

    live_session :redirect_if_user_is_authenticated,
      on_mount: [{RealworldWeb.UserAuth, :redirect_if_user_is_authenticated}] do
      live "/users/register", UserRegistrationLive, :new
      live "/users/log_in", UserLoginLive, :new
      live "/users/reset_password", UserForgotPasswordLive, :new
      live "/users/reset_password/:token", UserResetPasswordLive, :edit
    end

    post "/users/log_in", UserSessionController, :create
  end

  scope "/", RealworldWeb do
    pipe_through [:browser, :require_authenticated_user]

    live_session :require_authenticated_user,
      on_mount: [{RealworldWeb.UserAuth, :ensure_authenticated}] do
      live "/users/settings", UserSettingsLive, :edit
      live "/users/settings/confirm_email/:token", UserSettingsLive, :confirm_email
      live "/articles/new", ArticleLive.Index, :new
      live "/articles/:id/edit", ArticleLive.Index, :edit
      live "/articles/:id/show/edit", ArticleLive.Show, :edit
    end
  end

  scope "/", RealworldWeb do
    pipe_through [:browser]

    delete "/users/log_out", UserSessionController, :delete

    live_session :current_user,
      on_mount: [{RealworldWeb.UserAuth, :mount_current_user}] do
      live "/users/confirm/:token", UserConfirmationLive, :edit
      live "/users/confirm", UserConfirmationInstructionsLive, :new
    end
  end
end

live view does not redirect me when I click "edit" on the article new link and when I try to access current_user I get nil

Expected behavior

I would expect live view to redirect me, as the default setup suggests it should do, if I place these routes in require_authenticated_user

lifeiscontent commented 4 days ago

@SteffenDE @josevalim could you guys maybe shed some light on this? I'm wondering if there's just something I might be missing to make this work, but at least on the surface, it wasn't clear how to handle the unauthenticated state for a update action.

SteffenDE commented 4 days ago

I didn’t have time to look into this yet, but it’s on my todo list. I’ll try to find some time tomorrow :)

lifeiscontent commented 4 days ago

Thank you!

josevalim commented 3 days ago

This is a bug: LiveView should enforce a full page redirect when navigating across live sessions. We do it for navigation events, but we are not doing it for patch. You can read this guide for more information: https://github.com/phoenixframework/phoenix_live_view/blob/main/guides/server/security-model.md

I will transfer this to LiveView repo.