ueberauth / guardian

Elixir Authentication
MIT License
3.45k stars 381 forks source link

Plug Sign_In and EnsureAuthenticated #440

Closed pedromvieira closed 6 years ago

pedromvieira commented 6 years ago

I'm using Elixir 1.5.1 with Guardian 1.0.1 (and Guardian DB 1.1...). After successfully authenticate with Guardian Plug, I cannot use other plugs like VerifySession, LoadResource or EnsureAuthenticated, although I can "replicate" those functions manually. I had all working functions with previous builds (< 1.0).

CONFIG

...
config :phishx, Phishx.Guardian,
  allowed_algos: ["HS512"],
  #token_verify_module: Phishx.Guardian,
  #token_module: Phishx.Guardian,
  issuer: "phishx",
  token_ttl: %{
                :access => {1, :hours},
                :user => {2, :hours},
                :company => {365, :days}
              },
  allowed_drift: 2000,
  secret_key: Application.get_env(:phishx, :guardian_secret_key),
  permissions: %{
    account: [:read, :write, :delete, :admin, :export, :dashboard],
    group: [:read, :write, :delete, :admin, :export, :dashboard],
    mgmt: [:read, :write, :delete, :admin, :export, :dashboard],
  }

config :guardian, Guardian.DB,
  repo: Phishx.Repo,
  schema_name: "guardian_tokens",
  sweep_interval: 60
...

PIPELINE

defmodule Phishx.Guardian.AuthPipeline do
  @moduledoc """
  Guardian Auth Pipeline Settings.
  """

  use Guardian.Plug.Pipeline,
      module: Phishx.Guardian,
      error_handler: Phishx.Guardian.ErrorHandler,
      key: Application.get_env(:phishx, :guardian_secret_key),
      otp_app: :phishx

  plug Guardian.Plug.VerifySession
  #plug Guardian.Plug.LoadResource, ensure: true, allow_blank: true
  plug Guardian.Plug.EnsureAuthenticated

end

SIGN_IN ... conn |> Phishx.Guardian.Plug.sign_in( user, %{ "perms" => permissions, "extra" => %{ "subdomain" => user.subdomain, "type" => "user", "id" => user.id } }, [ token_type: :user ] ) ...

VERIFY_TOKEN ... case Phishx.Guardian.resource_from_token(token) do {:ok, resource, claims} -> conn |> Phishx.Guardian.Plug.put_current_token(token) |> Phishx.Guardian.Plug.put_current_claims(claims) |> Phishx.Guardian.Plug.put_current_resource(resource) ...

CONN_INSPECT ... %{PhishxWeb.Router => {[], %{}}, :guardian_default_claims => %{"aud" => "phishx", "exp" => 1517338284, "extra" => %{"id" => 1, "subdomain" => "aaa", "type" => "user"}, "iat" => 1514919084, "iss" => "phishx", "jti" => "9208bed3-2925-4523-a189-8281fb174cef", "nbf" => 1514919083, "perms" => %{"mgmt" => ["read", "export", "write", "delete", "dashboard"]}, "sub" => "user|aaa|1", "typ" => "user"}, :guardian_default_resource => %{__meta__: #Ecto.Schema.Metadata<:loaded, "tenant_aaa", "users">, __struct__: Phishx.Accounts.User, data: %{"authenticator" => "false", "birth" => "asfsaj", "country" => "USA", "editor_id" => 1, "editor_subdomain" => "aaa", "gender" => "male", "locale" => ["en-US", "pt-BR"], "logins" => 378, "mobile" => "5511951570615", "name" => "Pedro Vieira", "permissions" => "mgmt_admin", "version" => 7}, email: "vieira.net@gmail.com", enabled: true, id: 1, inserted_at: ~N[2017-09-12 19:27:23.967847], password: nil, password_hash: "$argon2i$v=19$m=65536,t=6,p=1$vim/l8gSmOJCv6PFJTxsVQ$0y9Yf0Dm1ZCHWGvYPtR2Nb3UeNSyKpoNrXQOf6eL7s0", subdomain: "aaa", subdomain_id: 23, updated_at: ~N[2018-01-02 18:51:24.246359]}, :guardian_default_token => "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwaGlzaHgiLCJleHAiOjE1MTczMzgyODQsImV4dHJhIjp7ImlkIjoxLCJzdWJkb21haW4iOiJhYWEiLCJ0eXBlIjoidXNlciJ9LCJpYXQiOjE1MTQ5MTkwODQsImlzcyI6InBoaXNoeCIsImp0aSI6IjkyMDhiZWQzLTI5MjUtNDUyMy1hMTg5LTgyODFmYjE3NGNlZiIsIm5iZiI6MTUxNDkxOTA4MywicGVybXMiOnsibWdtdCI6WyJyZWFkIiwiZXhwb3J0Iiwid3JpdGUiLCJkZWxldGUiLCJkYXNoYm9hcmQiXX0sInN1YiI6InVzZXJ8YWFhfDEiLCJ0eXAiOiJ1c2VyIn0.FT36UWipZl9x3n_eDR2RwYV2yzY0Rb795tP7vLwgAclwW2wvBCQqocJwkGUjD-YbFBIkXwx_R62NmgcU-ldDRw" ...

hassox commented 6 years ago

Hey @pedrovieira. At first glance it looks like you have the "key" option set to your secret key for your pipeline. This should not be your secret key. Unless you're doing something like impersonation you should leave that key unset. That key refers to the namespace that will be used on the connection to store the tokens and stuff. Can you remove that key and let us know how that goes?

I'm assuming the verify token in your code listing is you manually doing it. What does your Conn look like after it goes through the pipeline without the manual verify?

Can you please paste your router pipelines and the relevant routes and a stripped down version. Of your controller?

pedrovieira commented 6 years ago

hey @hassox, thanks for the mention, but I think you were trying to say @pedromvieira 😛

pedromvieira commented 6 years ago

@hassox thanks. I removed key from Auth Pipeline and it's working. :) I will try now the new bitwise permissions.

PIPELINE

defmodule Phishx.Guardian.AuthPipeline do
  @moduledoc """
  Guardian Auth Pipeline Settings.
  """

  use Guardian.Plug.Pipeline,
      otp_app: :phishx,
      module: Phishx.Guardian,
      error_handler: Phishx.Guardian.ErrorHandler

  plug Guardian.Plug.VerifySession
  plug Guardian.Plug.LoadResource, ensure: true
  plug Guardian.Plug.EnsureAuthenticated

end

ROUTER

...
  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_flash
    plug :protect_from_forgery
    plug :put_secure_browser_headers
  end

  pipeline :app do
    plug Plugs.Subdomain
    plug NavigationHistory.Tracker
    plug SetLocale, gettext: PhishxWeb.Gettext, default_locale: "en-US"
    plug Plugs.Audit
  end

  pipeline :browser_session do
    plug Phishx.Guardian.AuthPipeline
    plug Plugs.AuthenticateUser
  end
...