DEV Community

loading...

Discussion on: How to connect Pow and Live View in your Phoenix project

Collapse
karolsluszniak profile image
Karol Słuszniak

Thanks for the article. I remember spending a few days putting together the whole picture of making Pow and LiveView work together. It was right before phx.gen.auth came out and I’ve decided to switch to that as an easier fit.

I don’t remember the details but I recall that Pow is designed (or at least defaults to) a very aggresive session renewal model which means that your solution may miss an important aspect - the fact that Pow session may become invalid during the LiveView lifecycle resulting in allowing a user that’s actually logged out to act like he’s authenticated.

Also, and again not sure if it’s correct so please correct me if I’m wrong, aforementioned session renewal in Pow is based on recreating session every half an hour or so and since you can’t do that from LiveView without a HTTP request you’ll end up aleays expiring session if your app routes are live.

These findings led me to abandon Pow and go for phx.gen.auth. I consider extra work like covering gettext trivial compared to overhead coming from above architectural misalignments. Also, I agree with Jose Valim’s arguments for generated solution since I’ve aleays found Devise fast at first but hard to work with later on - not worth it IMO. But of course YMMV.

Regardless, it’s great to have a choice and this post gives just that.

Collapse
oliverandrich profile image
Oliver Andrich Author

Thanks for the hints and pointers. I think, I need to investigate the session handling issue.

Collapse
karolsluszniak profile image
Karol Słuszniak

If it helps, here's a rather long discussion about these concerns: github.com/danschultzer/pow/issues.... To me it looks like there's no perfect solution - Pow seems to highly depend on regular HTTP requests and making it work with socket-only session requires either functional/security sacrifices or a lot of added complexity. But I'm no auth/Pow expert so maybe I've missed some simple way around...

Thread Thread
oliverandrich profile image
Oliver Andrich Author

Doesn't look very promising indeed. I read another thread which seemed to offer a simple solution. Seems as I need to test some code tonight. <3

Thread Thread
oliverandrich profile image
Oliver Andrich Author

@karolsluszniak I knew about this thread, but spent a lot of time yesterday and today re-reading it. And my test candidate - my wife - almost immediately ran into issues. Maybe I should switch to phx.gen.auth then and learn a bit more about assent.