Manageable Cookies

[todotentei]

I want user able to keep track of where they have logged (remember me) and ability to manually sign out (e.g., lost device).

I'm thinking of adding a :cookies field just like sessions, so user can choose to remove unwanted cookie.

In Phauxth.Remember:

def call(%Plug.Conn{req_cookies: %{"remember_me" => token}} = conn, {opts, log_meta}) do
    case get_user(conn, token, opts)
      |> report(log_meta)
      |> set_user(conn)
    do
      %Plug.Conn{assigns: %{current_user: nil}} ->
        delete_rem_cookie(conn)
      _ ->
        conn
    end
  end

def get_user(conn, token, {max_age, user_context, opts}) do
    with {:ok, user_id} <- Token.verify(conn, token, max_age, opts)
         %{cookies: cookies} = user <- user_context.get(user_id),
         true <- Map.has_key?(cookies, token),
    do
      user
    end
  end

field :cookies, :map

cookies: %{
  "SFMyNTY.eyJzaWduZWQiOjE1MzYwODY4OTEsImRhdGEiOjF9.E8Gk7Gv2mqcLQMh8uyZdXie58fjHU7yu2jHozBFOu5Q" => %{
    "timestamp" => System.system_time(:second),
    "user-agent" => "Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53",
    "remote_ip" => {127, 0, 0, 1}
  }
}

I think better to store it in a separate table.

[riverrun]

To start off with, we could add this to the documentation, or the wiki, as an example of how you can extend the Remember plug. After that, we can discuss whether we want to add it to the default implementation.

[todotentei]

I wrote some more here. I want to set default :enable_cookie_management config to false. And if anyone want to use it, they can set it to true and follow some instructions.

[riverrun]

Thanks - I'll take a look at that later and get back to you soon.

[todotentei]

I think this simplest way to enable_cookie_management:

In Phauxth.Config, add:

def enable_cookie_management  do
  Application.get_env(:phauxth, :enable_cookie_management, false)
end

In Phauxth.Remember, add:

def init(opts) do
  {
    {
      Keyword.get(opts, :max_age, @max_age),
      Keyword.get(opts, :user_context, Config.user_context()),
      Keyword.get(opts, :enable_cookie_management, Config.enable_cookie_management()),
      opts
    },
    Keyword.get(opts, :log_meta, [])
  }
end

def get_user(conn, token, {max_age, user_context, false, opts}) do
  with {:ok, user_id} <- Token.verify(conn, token, max_age, opts) do
    user_context.get(user_id)
  end
end

def get_user(conn, token, {max_age, user_context, true, opts}) do
  with {:ok, user_id} <- Token.verify(conn, token, max_age, opts)
       %{cookies: cookies} = user <- user_context.get(user_id),
       true <- Map.has_key?(cookies, token),
  do
    user
  end
end

So, if get_user returns nil, then call delete_rem_cookie/1

[riverrun]

@virayatta I have added a related issue - #81 , which is based on the version 2.0 implementation.

[riverrun]

The latest version calls delete_rem_cookie by default - after it sees that the cookie / token is invalid.

Can we close this issue, or is there anything else you want to add?

[todotentei]

Thanks for your response. I’m on vacation, so I don’t think i have anything else to add.

On Mon, 5 Nov 2018 at 11:25 am, David Whitlock notifications@github.com wrote:

The latest version calls delete_rem_cookie by default - after it sees that the cookie / token is invalid.

Can we close this issue, or is there anything else you want to add?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/riverrun/phauxth/issues/75#issuecomment-435751610, or mute the thread https://github.com/notifications/unsubscribe-auth/ACkJzCLtGxn760OSb1yCsFxSnFmrkuZnks5ur727gaJpZM4WZrry .

[riverrun]

I'll close it for now, and if you want to reopen it later, that's fine.