Here is the rewritten article:
Secure Your Elixir Project with Authorization Using Guardian and JWTs
When building an Elixir project, ensuring the security and integrity of your application is crucial. In this tutorial, we’ll explore how to set up authorization using Guardian and JSON Web Tokens (JWTs). We’ll leverage Phoenix v1.7 and Phoenix LiveView v0.18 to create a secure way for users to access your app and its resources.
Project Overview
We’ll start by creating a module that serves as an interface between our app and Guardian’s default implementations. This module will enable us to generate a secret key to sign JWTs and create an endpoint that returns a JWT when a user provides valid credentials. Next, we’ll create a new endpoint that uses the JWT to grant access to certain resources. We’ll use the user’s ID to fetch their information and check if they are an admin. If they are, we’ll return additional information that non-admin users won’t have access to.
Getting Started
To begin, let’s set up a new Elixir project with the Phoenix framework. This will provide us with a solid foundation to build our application. We’ll use the phx.gen.auth task to generate authentication and authorization code, including the necessary routes and views. This will scaffold LiveView authentication, which is great for our server-side app.
Setting Up Users and Passwords
With the authentication and authorization code generated, we’ve set up users and passwords. While it’s recommended to use services instead of handling passwords on your own platform, this will serve as a good starting point. Our authorization scaffolding adds users, passwords, and a session. We’ll piggyback on this feature, but instead of returning an authorized LiveView session, we’ll return a JWT with Guardian.
Creating an Endpoint
Now, let’s create an endpoint to test our work so far. We’ll call it get_token. This endpoint will get the user with ID = 1 and then call the Guardian API to encode and sign that user into a JWT. We’ll use dbg(jwt) to log the token out to the terminal for us to inspect. Then, we’ll set the response type to application/json and JSON encode our JWT.
Creating a Protected Endpoint
Let’s create an endpoint that uses the JWT to scope access. We can do two things: scope access with claims, which keeps the claims in the token and makes them readily available everywhere the token is used, or manage roles in the application and only keep the “sub” user ID in the token. We’ll create an is_admin key on the user and scope some access based on this boolean.
Returning a Secret Value
We’re close to our goal now. All that’s left is to check whether or not the user is an admin and return a super secret value if they are. We’ll make a quick modification to have the JSON also return the the_answer field, which invokes the get_answer(user) function. get_answer(user) either returns 42 if the user is an admin or unknown if not.
Final Thoughts
In this tutorial, we learned how to implement authorization in an Elixir project using Guardian and JWTs. We also learned how to use plug pipelines to fetch user information based on the JWT and how to check if a user is an admin before granting access to protected resources. With this setup, you can build a secure and scalable app that allows authorized users to access your resources in a controlled and protected manner.