ash-project/ash_authentication
1
0
Fork 0
mirror of https://github.com/team-alembic/ash_authentication.git synced 2024-09-19 12:52:55 +12:00
Code Issues Projects Releases Packages Wiki Activity

docs: improve security in the 'Get Started' guide (#681)

Browse source 
* docs: improve security in the 'Get Started' guide

- Use a bang function to ensure that the `signing_secret` will raise an
exception if it is absent from the config (instead of just silently
evaluating to `nil`)

- Add config example for the secret signing token

- Add warning so that users are informed about the security implications
of using the basic configuration provided by the tutorial

- Rearrange the sections a bit so the `Token Generation` section comes
after the relevant code example

* docs: use correct function and modify secrets warning
This commit is contained in:
Nicholas Moen 2024-05-13 11:13:57 -06:00 committed by GitHub
parent 66844e1d00
commit 7d838980f5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 32 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
documentation/tutorials/get-started.md
View file

@ -222,6 +222,38 @@ identifier.
Now we have enough in place to register and sign-in users using the
`AshAuthentication.Strategy` protocol.
## Token generation
If you have token generation enabled then you need to provide (at minimum) a
signing secret. As the name implies this should be a secret. AshAuthentication
provides a mechanism for looking up secrets at runtime using the
`AshAuthentication.Secret` behaviour. To save you a click, this means that you
can set your token signing secret using either a static string (please don't!),
a two-arity anonymous function, or a module which implements the
`AshAuthentication.Secret` behaviour.
At its simplest you should so something like this:
```elixir
# in lib/my_app/accounts/user.ex
signing_secret fn _, _ ->
Application.fetch_env(:my_app, :token_signing_secret)
end
```
Then, specify the secret token in the config file:
```elixir
# in config/config.exs
config :my_app, :token_signing_secret, "some_super_secret_random_value"
```
> ### The signing secret must not be committed to source control {: .warning}
>
> Proper management of secrets is outside the scope of this tutorial, but is
> absolutely crucial to the security of your application.
## Plugs and routing
If you're using Phoenix, then you can skip this section and go straight to
@ -308,26 +340,6 @@ defmodule MyApp.Application do
end
```
## Token generation
If you have token generation enabled then you need to provide (at minimum) a
signing secret. As the name implies this should be a secret. AshAuthentication
provides a mechanism for looking up secrets at runtime using the
`AshAuthentication.Secret` behaviour. To save you a click, this means that you
can set your token signing secret using either a static string (please don't!),
a two-arity anonymous function, or a module which implements the
`AshAuthentication.Secret` behaviour.
At its simplest you should so something like this:
```elixir
# in lib/my_app/accounts/user.ex
signing_secret fn _, _ ->
Application.fetch_env(:my_app, :token_signing_secret)
end
```
## Summary
In this guide we've learned how to install Ash Authentication, configure