search

ueberauth / guardian

Elixir Authentication
MIT License
3.44k stars 381 forks source link

How does Guardian.Permissions work with plug in Pipeline? #477

Closed shahryarjb closed 6 years ago

shahryarjb commented 6 years ago

Hello, I create the token first in my project's source and send it to Pipeline.

For example:

Test for create token:
url : http://localhost:4000/api/users/sign-in
value : password : "2"
Test for authorization :
url : http://localhost:4000/api/users/sign-out
header :  Authorization : Bearer Token

I get the {"message":"unauthorized"} when I send a request to sign-out

My pipline :

https://github.com/shahryarjb/ESOGIP/blob/master/lib/api_trangell/auth_pipeline.ex#L7

A code in which the token is made :

https://github.com/shahryarjb/ESOGIP/blob/master/lib/api_trangell_web/controllers/page_controller.ex#L8-L19

Meanwhile, I have tested without Plug and succeed.

user = %{id: "1", user: "shahryar"}

{:ok, token, claims} = ApiTrangell.Guardian.encode_and_sign(user, %{some: "claim", userid: 2, admin: 2, pem: %{default: [:public_profile], user_actions: [:books]}}, token_type: "access",ttl: {99, :weeks})

claims |> ApiTrangell.Auth.Token.decode_permissions_from_claims |> ApiTrangell.Auth.Token.all_permissions?(%{default: [:public_profile], user_actions: [:books]})

How do I fix this ? Thanks.

hassox commented 6 years ago

Hey @shahryarjb

  1. You'll need to put your permissions plug after your verify ones (I'd put it after ensure authenticated also) so that it has something to work with.

  2. You'll need to add a build_claims hook like: https://github.com/ueberauth/guardian/blob/master/lib/guardian/permissions/bitwise.ex#L41

  3. You wouldn't set the permissions directly in the claims like you have above and in your controller. Permissions are generally set via options that are picked up in your build_claims function.

shahryarjb commented 6 years ago

Hi @hassox and Thank you,

I want to set plug Guardian.Permissions.Bitwise, ensure: %{default: [:public_profile], user_actions: [:books]} after plug Guardian.Plug.EnsureAuthenticated , but I have had an error 500 when I put this .

My code is like this : 

  plug Guardian.Plug.VerifySession, claims: @claims
  plug Guardian.Plug.VerifyHeader, claims: @claims, realm: "Bearer"
  plug Guardian.Plug.EnsureAuthenticated
  plug Guardian.Permissions.Bitwise, ensure: %{default: [:public_profile], user_actions: [:books]}
  plug Guardian.Plug.LoadResource, ensure: true

error : 

HTTP/1.1 500 Internal Server Error

Server: Cowboy
Date: Tue, 06 Mar 2018 18:04:45 GMT
Content-Length: 57966
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0, private, must-revalidate
x-request-id: qnke9pr2it5km31ih7gn1b7b2m9jnbje

Is this a problem with the direct of code in this section? like this ? or ?

{:ok, token, claims} = ApiTrangell.Guardian.encode_and_sign(user, %{some: "claim", userid: 2, admin: 2, pem: %{default: [:public_profile], user_actions: [:books]}}, token_type: "access",ttl: {99, :weeks})
hassox commented 6 years ago

Did you add the build claims hook? You're still directly setting the pem in the claim but you're setting it to a list. Check the link in my last comment for how to set it up.

shahryarjb commented 6 years ago

Hi @hassox ,

I added build_claims but I don't know how to create ACL . pleas see the link : https://github.com/shahryarjb/ESOGIP/blob/master/lib/api_trangell/auth/token.ex#L17

how do I create the token permissions in build claims hook ?

sorry for this and thank you for helping me ! 🌹

hassox commented 6 years ago

I've gone through you code and put together a gist of it. You're missing a lot of the setup for basic guardian, I suggest you get basic guardian working before you move onto permissions. It can take a while for everything to click into place. Perhaps follow a tutorial for getting setup so you can explore phoenix a little more.

There's a few tutorials online for getting everything wired together from a standing start. The top one when I googled it was https://medium.com/@zacharykuhn/setting-up-a-phoenix-app-with-guardian-1-0-411ff3195adb

That said, here is a gist with the relevant parts from your application.

https://gist.github.com/hassox/c731067efc1ca748e2eabbff19ccd27c

shahryarjb commented 6 years ago

Hi @hassox , Thank you so much.

I have seen https://medium.com/@zacharykuhn/setting-up-a-phoenix-app-with-guardian-1-0-411ff3195adb before, but it didn't speak about permissions. so I was traying with your document.

I've solved the problems which you said and thank you again. after fix it , I tried to get a token , then I sent request to api/users/sign-in and I succeeded to get a token, but now, how do I test which token is true or not? Is this {perms = %{default: [:public_profile], user_actions: [:books]}} available in my token or not? because I get nothing when write these code in `iex -S mix phx.server: 

token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6MTIsImF1ZCI6ImFwaV90cmFuZ2VsbCIsImV4cCI6MTU4MDM2MzE3OCwiaWF0IjoxNTIwNDg3OTc4LCJpc3MiOiJhcGlfdHJhbmdlbGwiLCJqdGkiOiIzM2NmNTE4MS0xYzFjLTQzMDktODNiOS02M2Y0ZmQwMmQ1ZjkiLCJuYmYiOjE1MjA0ODc5NzcsInNvbWUiOiJjbGFpbSIsInN1YiI6IjEiLCJ0eXAiOiJhY2Nlc3MifQ.3BQxVZoFWyr_-pYSF1r5IO44SSp7q2zhtW8Bdg1611o"

{:ok, claims} = ApiTrangell.Guardian.decode_and_verify(token)

#Or

claims |> ApiTrangell.Auth.Token.decode_permissions_from_claims |> ApiTrangell.Auth.Token.all_permissions?(%{default: [:public_profile], user_actions: [:books]})

#Or

iex(6)> claims |> ApiTrangell.Auth.Token.decode_permissions_from_claims 
%{}

I think the access is not in Token. my project's source was updated.

it's my pleasure to talk with you, Thanks.