记住我使用Guardian在Phoenix中的功能 [英] Remember me functionality in Phoenix using Guardian

问题描述

我正在使用Guardian处理身份验证的Web应用程序开发登录系统. 在我的Guardian配置中，我有

I'm developing a login system for a web application using Guardian to handle authentication. In my Guardian config i have

ttl: {30, :days}

用户的令牌通过调用以下方式存储在cookie中:

User's token is stored in cookies by calling:

defp login(conn, user) do
  conn
  |> Guardian.Plug.sign_in(user)
end

像这样，令牌有效期为30天，并且即使关闭浏览器也可以保留在令牌中(cookie的预期行为). 但是，用户应该能够选择在登录期间是否被记住. 否则，必须在关闭浏览器窗口时从cookie中删除令牌. 我尝试设置

Like this, token is valid for 30 days and stays there even if browser is closed (expected behaviour for a cookie). User, however, should be able to choose if being remembered or not during login. If not, token must be deleted from cookies upon closing browser window. I've tried to set

ttl: {0, :days}

它似乎完成了所需的行为.说:

and it seems to accomplish the needed behaviour. Said that:

1. ttl:{0，:days}是在浏览器窗口关闭之前对用户进行身份验证的正确方法吗?如果是这样，如何在调用Guardian.Plug.sign_in(conn，user)之前以编程方式更改管道中的ttl值?
2. Guardian是否可以根据用户选择将令牌存储在cookie或会话存储中? (所选的Cookie会记住我，否则会存储会话)

推荐答案

也许检查Guardian.Plug.remember_me/4 GitHub 上有一个示例.

Maybe check the Guardian.Plug.remember_me/4 function. There's an example on Guardian's GitHub.

# Set a "refresh" token directly on a cookie.
# Can be used in conjunction with `Guardian.Plug.VerifyCookie`
conn = MyApp.Guardian.Plug.remember_me(conn, resource)

在此处更改TTL是非常危险的，因为这意味着登录后您便立即使令牌过期，因此如果您基于令牌授权请求，则每个单一API路由将不起作用.

Changing the TTL is very dangerous here, because it means that right after login you have expired token so every single API route would not work if you authorize the request based on the token.

Guardian能够同时存储会话和令牌，因此适当地，您需要根据需要自定义身份验证系统.

Guardian is able to store the session and store the token in the same time, so propably you would need to customize the auth system to your needs.

这篇关于记住我使用Guardian在Phoenix中的功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！