mirror of
https://github.com/team-alembic/ash_authentication.git
synced 2024-09-19 12:52:55 +12:00
docs: improve security in the 'Get Started' guide (#681)
* docs: improve security in the 'Get Started' guide - Use a bang function to ensure that the `signing_secret` will raise an exception if it is absent from the config (instead of just silently evaluating to `nil`) - Add config example for the secret signing token - Add warning so that users are informed about the security implications of using the basic configuration provided by the tutorial - Rearrange the sections a bit so the `Token Generation` section comes after the relevant code example * docs: use correct function and modify secrets warning
This commit is contained in:
parent
66844e1d00
commit
7d838980f5
1 changed files with 32 additions and 20 deletions
|
@ -222,6 +222,38 @@ identifier.
|
|||
Now we have enough in place to register and sign-in users using the
|
||||
`AshAuthentication.Strategy` protocol.
|
||||
|
||||
## Token generation
|
||||
|
||||
If you have token generation enabled then you need to provide (at minimum) a
|
||||
signing secret. As the name implies this should be a secret. AshAuthentication
|
||||
provides a mechanism for looking up secrets at runtime using the
|
||||
`AshAuthentication.Secret` behaviour. To save you a click, this means that you
|
||||
can set your token signing secret using either a static string (please don't!),
|
||||
a two-arity anonymous function, or a module which implements the
|
||||
`AshAuthentication.Secret` behaviour.
|
||||
|
||||
At its simplest you should so something like this:
|
||||
|
||||
```elixir
|
||||
# in lib/my_app/accounts/user.ex
|
||||
|
||||
signing_secret fn _, _ ->
|
||||
Application.fetch_env(:my_app, :token_signing_secret)
|
||||
end
|
||||
```
|
||||
|
||||
Then, specify the secret token in the config file:
|
||||
|
||||
```elixir
|
||||
# in config/config.exs
|
||||
config :my_app, :token_signing_secret, "some_super_secret_random_value"
|
||||
```
|
||||
|
||||
> ### The signing secret must not be committed to source control {: .warning}
|
||||
>
|
||||
> Proper management of secrets is outside the scope of this tutorial, but is
|
||||
> absolutely crucial to the security of your application.
|
||||
|
||||
## Plugs and routing
|
||||
|
||||
If you're using Phoenix, then you can skip this section and go straight to
|
||||
|
@ -308,26 +340,6 @@ defmodule MyApp.Application do
|
|||
end
|
||||
```
|
||||
|
||||
## Token generation
|
||||
|
||||
If you have token generation enabled then you need to provide (at minimum) a
|
||||
signing secret. As the name implies this should be a secret. AshAuthentication
|
||||
provides a mechanism for looking up secrets at runtime using the
|
||||
`AshAuthentication.Secret` behaviour. To save you a click, this means that you
|
||||
can set your token signing secret using either a static string (please don't!),
|
||||
a two-arity anonymous function, or a module which implements the
|
||||
`AshAuthentication.Secret` behaviour.
|
||||
|
||||
At its simplest you should so something like this:
|
||||
|
||||
```elixir
|
||||
# in lib/my_app/accounts/user.ex
|
||||
|
||||
signing_secret fn _, _ ->
|
||||
Application.fetch_env(:my_app, :token_signing_secret)
|
||||
end
|
||||
```
|
||||
|
||||
## Summary
|
||||
|
||||
In this guide we've learned how to install Ash Authentication, configure
|
||||
|
|
Loading…
Reference in a new issue