1

I'm developing a login system for a web application using Guardian to handle authentication. In my Guardian config i have 

ttl: {30, :days}

User's token is stored in cookies by calling:

defp login(conn, user) do
  conn
  |> Guardian.Plug.sign_in(user)
end

Like this, token is valid for 30 days and stays there even if browser is closed (expected behaviour for a cookie). User, however, should be able to choose if being remembered or not during login. If not, token must be deleted from cookies upon closing browser window. I've tried to set 

ttl: {0, :days}

and it seems to accomplish the needed behaviour. Said that:

  1. Is ttl: {0, :days} a proper way to authenticate a user until browser window gets closed? If so, how to programmatically change ttl value in the pipeline before Guardian.Plug.sign_in(conn, user) is called?
  2. Is Guardian able to store token in cookies or in session storage based on the user selection? (cookies for selected remember me, session storage if not)
Razinar
  • 727
  • 3
  • 13
  • 21

1 Answers1

1

Maybe check the Guardian.Plug.remember_me/4 function. There's an example on Guardian's GitHub.

# Set a "refresh" token directly on a cookie.
# Can be used in conjunction with `Guardian.Plug.VerifyCookie`
conn = MyApp.Guardian.Plug.remember_me(conn, resource)

Changing the TTL is very dangerous here, because it means that right after login you have expired token so every single API route would not work if you authorize the request based on the token.

Guardian is able to store the session and store the token in the same time, so propably you would need to customize the auth system to your needs.

PatNowak
  • 5,721
  • 1
  • 25
  • 31