add SlidingCookie plug #616
Conversation
Codecov Report
@@ Coverage Diff @@
## master #616 +/- ##
=========================================
+ Coverage 86.32% 86.52% +0.2%
=========================================
Files 21 22 +1
Lines 424 438 +14
=========================================
+ Hits 366 379 +13
- Misses 58 59 +1
Continue to review full report at Codecov.
|
|
Ah ha. Fixed formatting :) |
|
Rebased on master and added |
There was a problem hiding this comment.
Very cool idea and makes the remeber_me and verify token much more useful. 👍
I think it is really important to note that this can cause a session to be authorized indefinitely, but you already touch upon this.
I have added a few comments apart from this, great PR
| @@ -767,6 +782,25 @@ defmodule Guardian do | |||
| apply(mod, :config, [:token_module, @default_token_module]) | |||
| end | |||
|
|
|||
| @doc false | |||
There was a problem hiding this comment.
It might make sense to move this to https://github.com/ueberauth/guardian/blob/master/lib/guardian/token/jwt.ex and do a small refactor to avoid a bit of code dublication
There was a problem hiding this comment.
Well.. it's funny you should say this, as a version of this logic did previously exist in jwt.ex, I necessarily decoupled the Map.put stuff in assign_exp_from_ttl from the actual ttl parsing to avoid the duplication, and then moved it out of jwt.ex to guardian.ex as I viewed it as a general utility function; it didn't seem to have anything really to do with the JWT token implementation at all as such at that point... and calling code from jwt.ex to parse a config option just didn't seem quite right to me... I'll move it to jwt.ex if you like though.
There was a problem hiding this comment.
I think you are right, that it should actually live in guardian, and we should just refactor jwt to use the code from guardian and not the other way around
README.md
Outdated
| @@ -295,6 +295,11 @@ Look for a token in the session and verify it | |||
|
|
|||
| Look for a token in cookies and exchange it for an access token | |||
|
|
|||
| #### `Guardian.Plug.SlidingCookie` | |||
|
|
|||
| Replace a token in cookies with a new one if it is older than a configured | |||
There was a problem hiding this comment.
I am thinking this sounds a bit backward. Would it make sense that, what we configure is the minimum remaining time of the token, before we would refresh it? For me, this is mostly the way I think about refresh time
I think the current way can cause some trouble if you change the ttl of the refresh token.
Say we have a refresh ttl of 7 days, and we want to refresh only when there is one day left, we would set the sliding ttl to 6 days. Changing the refresh ttl to 14 would cause the refresh to happen when there are still 8 days left.
@mwri @ueberauth/developers Let me hear what you think
There was a problem hiding this comment.
I'm absolutely with you on this, I tossed up about which way to go to be honest, a time after which it's renewed vs a time relative to the expiry... I'm very happy to change it to a minimum time remaining instead.
There was a problem hiding this comment.
I think that would make sense :D
lib/guardian/plug/sliding_cookie.ex
Outdated
| end | ||
| end | ||
|
|
||
| defp find_token_from_cookies(conn, opts) do |
There was a problem hiding this comment.
Maybe we should share this function between verifyCookie and slidingCookie?
There was a problem hiding this comment.
Sure. I don't like code duplication but let this pass as it was a small function, and I wasn't sure it was worth coupling the two modules to share it. I don't feel strongly either way though, happy to call the VerifyCookie version.
There was a problem hiding this comment.
Ah, could move it to plug.ex.
There was a problem hiding this comment.
Would be great I think we have some code in plug that basically does this aswell
There was a problem hiding this comment.
I looked at that, it has quite a lot in common with fetch_token_key/2, but it they don't really refactor together nicely IMO; I think the result would just be more abstract less clear code. The kicker is find_token_from_cookies/2 does token = conn.req_cookies[key] || conn.req_cookies[to_string(key)], using a string and atom version of the key. I'm not sure if this is necessary, the unit tests certainly pass fine with just token = conn.req_cookies[to_string(key)]` and my app is ok with it, but I'm a little reluctant to change such an obviously deliberate effort without more research, I don't know what behaviour older versions of Phoenix might have had that might necessitate it, or something else I haven't thought of...
|
Sorry, I don't know how I accidentally closed it there, must have hit a key when the button was highlighted or something. |
|
Agreed changes completed, I think. |
|
Would love to have a view from one other @ueberauth/core and a rebase from you @mwri |
|
Rebased. |
|
Cheers. Always a pleasure to contribute a well received PR. |
Adds a
SlidingCookieplug which implements a sliding window/session behaviour, allowing the remember_me cookie to be replaced before it expires.Configure (or use plug option) like so:
Add to Guardian pipeline, for example:
Provide
sliding_cookiecallback implementation: