Preparing for Authentication
Authentication is one of those features that can make or break your whole application experience. Programmers need to be able to easily layer on the right services and to direct requests where they need to go. Administrators need to trust the underlying policies, and also to configure the password constraints. Initially, we’ll plan our approach and install the necessary dependencies.
Our approach to authentication will be a conventional one. Users will provide credentials when registering. We’ll store those in the database in a secure way. In our application, a session will contain the data about each individual user. We’ll let Phoenix manage the details. A user starting a session will need to provide the credentials, and we’ll check those against our database. We’ll mark each user as authenticated in the session, so that users are granted access until their sessions expire or they log out. We will build these functions and expose those ideas into the Accounts context.
Above all else, we want this system to be secure. We won’t write the dicey parts ourselves, and we’ll make sure that we use approaches that are well understood to be secure. We’ll use as much as we can from Phoenix, and we’ll rely on Comeonin to handle the critical hashing piece.
Comeonin[16] is a specification for password hashing libraries. It provides up-to-date and secure hashing schemes. We will use the Pbkdf2 password hashing technique, as it does not require any native dependencies, but there are other options listed on Comeonin’s documentation. Add :pbkdf2_elixir to your mix.exs dependencies to handle password hashing, like this:
| | defp deps do |
| | [ |
| | ..., |
| | {:pbkdf2_elixir, "~> 1.0"} |
| | ] |
| | end |
:pbkdf2_elixir, like our other dependencies in mix.exs, is an application. An application is what you think it is: a collection of modules that work together and can be managed as a whole. So far, our application depends on :phoenix and :phoenix_ecto, as you’d expect, but also the :postgrex database driver, :gettext for internationalization, and now :pbkdf2_elixir for managing our password hashing.
Our application also relies on applications that ship as part of Elixir and Erlang. Those are not listed under deps, but within the application function in your mix.exs:
| | def application do |
| | [ |
| | mod: {Rumbl.Application, []}, |
| | extra_applications: [:logger, :runtime_tools] |
| | ] |
| | end |
The application function tells Mix how to start our :rumbl application, and we configure Elixir to start :logger and :runtime_tools, which are part of the standard library.
Now run mix deps.get to fetch your new dependencies, like this:
| | $ mix deps.get |
This command downloads the :pbkdf2_elixir dependency into deps directory. Elixir will make sure to start it before your own :rumbl application. Now that our preparations are out of the way, we’re ready to begin the implementation.