Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

magic link authentication for phx.gen.live #1

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

magic link authentication for phx.gen.live #1

wants to merge 17 commits into from

Conversation

SteffenDE
Copy link
Owner

No description provided.

@SteffenDE SteffenDE force-pushed the sd-magic-link-live branch 3 times, most recently from 3983d0e to 5507e43 Compare February 3, 2025 17:16
@SteffenDE SteffenDE mentioned this pull request Feb 3, 2025
Open
SteffenDE
SteffenDE commented Feb 3, 2025
View reviewed changes
lib/auth_app/accounts.ex Outdated Show resolved Hide resolved
SteffenDE
SteffenDE commented Feb 3, 2025
View reviewed changes
lib/auth_app/accounts.ex Outdated Show resolved Hide resolved
SteffenDE
SteffenDE commented Feb 3, 2025
View reviewed changes
lib/auth_app_web/live/user_live/settings.ex Outdated

case Accounts.update_user_password(user, password, user_params) do
case Accounts.apply_user_password(user, user_params) do
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is necessary because we want to disconnect existing LiveView connections when a password is changed (we already invalidate the sessions). This is not happening at the moment, which could be a security risk. The problem with the old setup (changing the password in the LiveView) is that we clear the tokens when changing the password, so this is also the moment where we need to broadcast disconnects for all old sessions. Broadcasting here would break the flow though, because the current LiveView would be disconnected before it has a chance to actually handle the trigger_submit. Instead of doing a "disconnect everything except me" which would require us to know the session token in the LiveView, we instead move the actual password change mechanism to the controller and only validate here.

SteffenDE
SteffenDE commented Feb 3, 2025
View reviewed changes
lib/auth_app_web/router.ex Outdated Show resolved Hide resolved
josevalim
josevalim reviewed Feb 4, 2025
View reviewed changes
lib/auth_app/accounts.ex Outdated Show resolved Hide resolved
josevalim
josevalim reviewed Feb 4, 2025
View reviewed changes
lib/auth_app/accounts.ex Outdated Show resolved Hide resolved
josevalim
josevalim reviewed Feb 4, 2025
View reviewed changes
lib/auth_app/accounts.ex Outdated Show resolved Hide resolved
josevalim
josevalim reviewed Feb 4, 2025
View reviewed changes
lib/auth_app/accounts.ex Outdated Show resolved Hide resolved
josevalim
josevalim reviewed Feb 4, 2025
View reviewed changes
lib/auth_app/accounts.ex Outdated Show resolved Hide resolved
@SteffenDE SteffenDE marked this pull request as ready for review February 10, 2025 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josevalim josevalim josevalim approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SteffenDE @josevalim