-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add SlidingCookie plug #616
Conversation
Codecov Report
@@ Coverage Diff @@
## master #616 +/- ##
=========================================
+ Coverage 86.32% 86.52% +0.2%
=========================================
Files 21 22 +1
Lines 424 438 +14
=========================================
+ Hits 366 379 +13
- Misses 58 59 +1
Continue to review full report at Codecov.
|
Ah ha. Fixed formatting :) |
Rebased on master and added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very cool idea and makes the remeber_me and verify token much more useful. 👍
I think it is really important to note that this can cause a session to be authorized indefinitely, but you already touch upon this.
I have added a few comments apart from this, great PR
@@ -767,6 +782,25 @@ defmodule Guardian do | |||
apply(mod, :config, [:token_module, @default_token_module]) | |||
end | |||
|
|||
@doc false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might make sense to move this to https://github.com/ueberauth/guardian/blob/master/lib/guardian/token/jwt.ex and do a small refactor to avoid a bit of code dublication
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well.. it's funny you should say this, as a version of this logic did previously exist in jwt.ex, I necessarily decoupled the Map.put
stuff in assign_exp_from_ttl
from the actual ttl parsing to avoid the duplication, and then moved it out of jwt.ex to guardian.ex as I viewed it as a general utility function; it didn't seem to have anything really to do with the JWT token implementation at all as such at that point... and calling code from jwt.ex to parse a config option just didn't seem quite right to me... I'll move it to jwt.ex if you like though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you are right, that it should actually live in guardian
, and we should just refactor jwt
to use the code from guardian
and not the other way around
README.md
Outdated
@@ -295,6 +295,11 @@ Look for a token in the session and verify it | |||
|
|||
Look for a token in cookies and exchange it for an access token | |||
|
|||
#### `Guardian.Plug.SlidingCookie` | |||
|
|||
Replace a token in cookies with a new one if it is older than a configured |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am thinking this sounds a bit backward. Would it make sense that, what we configure is the minimum remaining time of the token, before we would refresh it? For me, this is mostly the way I think about refresh time
I think the current way can cause some trouble if you change the ttl of the refresh token.
Say we have a refresh ttl of 7 days, and we want to refresh only when there is one day left, we would set the sliding ttl to 6 days. Changing the refresh ttl to 14 would cause the refresh to happen when there are still 8 days left.
@mwri @ueberauth/developers Let me hear what you think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm absolutely with you on this, I tossed up about which way to go to be honest, a time after which it's renewed vs a time relative to the expiry... I'm very happy to change it to a minimum time remaining instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that would make sense :D
lib/guardian/plug/sliding_cookie.ex
Outdated
end | ||
end | ||
|
||
defp find_token_from_cookies(conn, opts) do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should share this function between verifyCookie and slidingCookie?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. I don't like code duplication but let this pass as it was a small function, and I wasn't sure it was worth coupling the two modules to share it. I don't feel strongly either way though, happy to call the VerifyCookie
version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, could move it to plug.ex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be great I think we have some code in plug
that basically does this aswell
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked at that, it has quite a lot in common with fetch_token_key/2
, but it they don't really refactor together nicely IMO; I think the result would just be more abstract less clear code. The kicker is find_token_from_cookies/2
does token = conn.req_cookies[key] || conn.req_cookies[to_string(key)]
, using a string and atom version of the key. I'm not sure if this is necessary, the unit tests certainly pass fine with just token = conn.req_cookies[to_string(key)]` and my app is ok with it, but I'm a little reluctant to change such an obviously deliberate effort without more research, I don't know what behaviour older versions of Phoenix might have had that might necessitate it, or something else I haven't thought of...
Sorry, I don't know how I accidentally closed it there, must have hit a key when the button was highlighted or something. |
Agreed changes completed, I think. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work 👍
Would love to have a view from one other @ueberauth/core and a rebase from you @mwri |
Rebased. |
Cheers. Always a pleasure to contribute a well received PR. |
Adds a
SlidingCookie
plug which implements a sliding window/session behaviour, allowing the remember_me cookie to be replaced before it expires.Configure (or use plug option) like so:
Add to Guardian pipeline, for example:
Provide
sliding_cookie
callback implementation: