DEV Community: James Moore

Implementing Authorization using Role Based Access Control (RBAC) in Phoenix Web Applications

James Moore — Thu, 27 Feb 2020 17:34:57 +0000

Setting up Authorization in Phoenix web applications

Here's an exchange I've had on a few occasions when discussing a new
web app project:

Ok, I can't blame Bob for not wanting to talk about security and
authorization, it's not interesting or fun, however dodging these types of
questions can leave us, developers, in a tough spot.

So what do you do in a situation like this, where the details are vague, but
you've got to start implementing something?

Well, you need to be careful, because you're facing a couple of big risks.

Without clear direction, you might end up:

Adding too few authorization features
or adding unnecessary authorization features.

Here's my suggestion, for dealing with authorization when the requirements
are vague.

Choose an approach that:

is simple and well understood
is widely adopted
follows the 80/20 rule (on features)

So what approach is simple and well understood?

This would have to be Role Based Access Control (RBAC), which is been around
for almost 3 decades. RBAC doesn't solve every authorization problem you
might have, but it is relatively simple, and well understood.

So what's the most widely adopted approach?

Well, that would have to be Role Based Access control as well, in fact, most
larger businesses use some form of Role based access control, in the systems
they use.

What do I mean by "follows the 80/20 rule"?

It means, choosing the solution that takes ~20% of the effort, compared to the
more sophisticated options, yet it covers ~80% of the use cases you have.

Role Based Access Control, feels like the perfect 80/20 solution.

So, how might you implement Role Based Access control in a Phoenix Web
application?

Check out the above free screencast to learn more.

Links

Screencast Git Repo

Phoenix LiveView

Authorization In Elixir & Phoenix with pow and pow_assent

Want to learn more about Elixir & Phoenix?

Checkout my new course: Elixir & Phoenix for
Beginners

Easy Authentication in Elixir & Phoenix with the pow & pow_assent libraries

James Moore — Tue, 11 Feb 2020 16:57:45 +0000

Setting up authentication in new Phoenix web apps

I always enjoy starting new web projects, its a nice clean slate and an opportunity for you to create a solution that's hopefully better designed and engineered than the other projects I've worked on... and there are all sorts of interesting things to think about and research, and there's no technical debt to deal with (yet), and there are no pending deadlines, and so on.

But here's the thing, as soon as I start setting up the new Elixir / Phoenix project, my excitement fades pretty quickly, because, in my mind, project setup should take a matter of minutes, but in reality project setups takes much longer than I expect, because... well, it's not something I do every day, so I always have to shake off the dust, do a bit of research to see if there are any new "best practices", or new libraries I should look at and so on.

So what?

Ok, so why am I talking about this?

Well, because sometimes we make these initial setups harder than they have to be, and I want to look at one particular aspect of setting up a new project, that I suspect many of us do the hard way, I know I have.

The thing I want to look at is handling authentication in a new phoenix project... And I want to consider the question: "how should I handle authentication? roll my own or use a library"

Check out the above screencast to see my take on handling authentication in Elixir / Phoenix web applications.

Spoiler alert

Do you want to know the gist of the screencast?

Even thought it's "easy", you probably shouldn't write your own authentication system, you should just use the excellent pow and pow_assent libraries. I make the case for using these libraries and show you how in just a matter of minutes you can:

Create a new Phoenix project
Setup authentication
Add simple route based authorization
Setup password resets
Setup social logins (ie login with Twitter, Facebook, Github, etc)

If you like pow & pow_assent, please reach out to the primary author, Dan Schultzer and thank him for all his hard work.

Additionally, if you can, please consider sponsoring Dan's open source-work, either personally or through your employer. I believe open source authors are truly under-appreciated, but we can change that if we all chip in just a little bit.

Want to learn more about Elixir & Phoenix?

Checkout my new course: Elixir & Phoenix for Beginners

Introduction to Phoenix LiveView

James Moore — Tue, 05 Nov 2019 23:29:23 +0000

A couple years ago I was at the beginning stages of a new web project, and I was figuring out how I wanted to build the app. I felt like I had a pretty good understanding of what the requirements were, and initially, I was thinking I could build the app as a traditional MPA (Multi Page App).

Ok, building MPA's isn't cool or sexy, but it's way simpler than building SPA's (Single Page Apps), and I'm more productive with MPA's and in my opinion, these kinds of apps are easier to maintain... I mean, if you think about it, the jump from MPA's to SPA's adds a ton of complexity, and having to switch back and forth between a frontend and a backend language is a real cognitive burden.

Anyway, as I was thinking about how to implement the app, I was stuck on a couple small but important features that would be pretty hard to implement in a MPA, and I was thinking about some of the phase 2 features, and I started to question the viability of implementing this app as a MPA... It felt like a decision I might regret later, so I did what many of us have done, and I just built it as a SPA.

But honestly, this wasn't an easy decision... In building it as a SPA, I basically took on a bunch of complexity, just to have the ability to add "rich" features, which for the most part I didn't need.

In hindsight, I don't know if building this app as a SPA was the right choice. It took me longer to implement, and those future features I was worried about, were never added, and every once in a while when I work on this project, npm tells me I'm using a bunch of libraries that have vulnerabilities... so I have to spend a significant amount of time digging into the vulnerabilities, and resolving them, and of course it's a reminder that I should probably be more proactive in maintaining my apps, even when I'm not adding features.

It would be kind of nice if there was a middle ground between SPA's and MPA's... in other words, it would be nice if there was a way to build web apps with richer features, without having to take on all the complexity associated with SPA's... right?

Well, I've got good news, there's a new way to build applications that offer rich, real-time features without adding a ton of complexity.

Now, the solution I'm referring to is quite novel, and there's a good chance your first impression will be something along the lines of "This seems a little crazy"... Those were my first thoughts, but after learning more about it, and using it, I've become a believer.

So what is the new option I'm referring to?

It's called Phoenix LiveView, which is a library that works with the Phoenix Web Framework.

If you're curious about Phoenix LiveViews, and you want to learn more, you should checkout the screencast I just released (shown below).

Now, LiveView only works with the Phoenix Web Framework, which is written in Elixir, but you don't need to know Phoenix or Elixir to watch this screencast... In fact, I made this video specifically for web developers who don't know Elixir (if you do know Elixir, I think you'll still find a lot of value in watching this video).

Ok, even if you have no intention of using Elixir or Phoenix, you still might want to watch this video, because it truly is a unique solution that I bet you'll find interesting, and I think exposing yourself to new ideas like this, can often lead to other creative solutions.

Want to learn more about Elixir & Phoenix?

Checkout my new course: Elixir & Phoenix for Beginners