# auth

**Repository Path**: mirrors_dwyl/auth

## Basic Information

- **Project Name**: auth
- **Description**: 🚪 🔐 UX-focussed Turnkey Authentication Solution for Web Apps/APIs (Documented, Tested & Maintained)
- **Primary Language**: Unknown
- **License**: GPL-2.0
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2020-08-08
- **Last Updated**: 2026-01-24

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

<div align="center">

# `auth`

A ***complete authentication solution*** for **Phoenix** Apps/APIs
you can setup in ***5 minutes***.

<!-- ![GitHub Workflow Status](https://img.shields.io/github/workflow/status/dwyl/auth/Elixir%20CI?label=build&style=flat-square) -->
[![codecov.io](https://img.shields.io/codecov/c/github/dwyl/auth/master.svg?style=flat-square)](http://codecov.io/github/dwyl/auth?branch=master)
[![Hex.pm](https://img.shields.io/hexpm/v/auth?color=brightgreen&style=flat-square)](https://hex.pm/packages/auth)
[![docs](https://img.shields.io/badge/docs-maintained-brightgreen?style=flat-square)](https://hexdocs.pm/auth/api-reference.html)
[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat-square)](https://github.com/dwyl/auth/issues)
[![HitCount](http://hits.dwyl.com/dwyl/auth.svg)](http://hits.dwyl.com/dwyl/auth)
<!-- uncomment when service is working ...
[![Libraries.io dependency status](https://img.shields.io/librariesio/release/hex/auth?logoColor=brightgreen&style=flat-square)](https://libraries.io/hex/auth)
[![Inline docs](http://inch-ci.org/github/dwyl/auth.svg?branch=master&style=flat-square)](http://inch-ci.org/github/dwyl/auth)
-->

</div>

## Why?

Letting people authenticate is *essential* any time
there is _personalized_ content/functionality to display.<br />
We needed an *easy* way of doing Login/Authentication for our projects
that we could drop into any project <br />
and be up-and-running in _minutes_
without worrying about complexity or maintenance.

After much research, investigation and development,
we created **`Auth`**;
a re-useable "starter pack"
for _all_ our Auth needs. <br />



### What's In It For Me?

As a developer, _using_ this App you can _rest assured_ that:

+   [x] **All code** for **authentication** in _your_ app
is **nicely contained & organized** in a ***single place***.
+   [x] An order of magnitude less code than any other auth system
and all code is ***well documented, tested & maintained***.
+   [x] Whenever there is an update in the underlying modules (_dependencies_)
we **update** and throughly tested in a ***timely manner***.
+   [x] All ***personally identifiable information*** is securely stored
in a logically separate place from your main application
so you have extra security.
+   [x] You only have to **update _one_ thing**
and your app continues to work as expected.

## What?

Login for Elixir/Phoenix Apps/APIs which gives you a set of routes
and a predictable usage pattern.

### What Can People Use to Authenticate?

+   **Email+Password** - Email and Password (_enabled by default_)
+   **GitHub** - Allow people to login with their GitHub Account using OAuth2
+   **Google** - Let people authenticate with the most popular auth system!

<!-- this section needs to be re-worded ... or removed!

### _Tested_


Our *objective* is to **_extensively_ test every aspect** of this package
so that we can *rely* on it for our *high-traffic/security* projects.

If you spot _any_ area for improvement, please create an issue:
https://github.com/dwyl/auth/issues (_thanks!_)

### Email Verification

Email is _still_ the _dominant_ way we communicate with people on the web.

Once the person has authenticated using their preferred method,
send them an email to verify their "account". <br />
This acts as a "double-opt-in" and ensures that our app is _able_
to contact the person in the future. <br />
e.g: to reset a password or send an update/notification.

#### Why Email?

We don't think "Auth" _can_ be done without _some_ form of verification. <br />
We could send SMS or "Native" Notifications but both _cost more_ than email.

-->

# How?

As the description suggests, this module is built for apps built with the
[**Phoenix**](https://github.com/dwyl/learn-phoenix-framework) web framework.  
If you or *anyone* on your team are new to Phoenix, we
have an **introductory tutorial**:
[github.com/dwyl/**learn-phoenix-framework**](https://github.com/dwyl/learn-phoenix-framework)




## 5 Minute 5 Step Setup

> **Note** the App will **_not_ compile/work** 
until you have the **required environment variables**. <br />
You will see an error similar to: 
[**issues/157**](https://github.com/dwyl/auth/issues/157).
See the 3<sup>rd</sup> step below.

> If you run `mix ecto.setup` in step 4 without the 
required environment variables,
even if you set them and try to run the command again,
it will error.
You will see this error in
[**issues/266**](https://github.com/dwyl/auth/issues/266).
Just delete the created database and run the command again.


### 1. Clone the project:

```sh
git clone git@github.com:dwyl/auth.git && cd auth
```

### 2. Install dependencies:

```sh
mix deps.get
```

### 3. Environment Variables

The Auth App checks for the presence of
_specific **Environment Variables**_
to enable each authentication provider.

> If you are totally new to Environment Variables,
see: [github.com/dwyl/**learn-environment-variables**](https://github.com/dwyl/learn-environment-variables)

An authentication provider (_endpoint_) will only work
if the Environment Variable(s) for that service are present.

If you want to enable a specific 3rd Party Authentication service,
simply ensure that the relevant Environment Variables are defined.


#### Google Auth

To enable Google Auth
you will need to have two Environment Variables set:
```sh
GOOGLE_CLIENT_ID=YourAppsClientId.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=SuperSecret
```
To *get* these Environment Variables,
You will need to create an App on https://console.developers.google.com
and get your `CLIENT_ID` & `CLIENT_SECRET`.

Full instructions to create your Google Auth App:
[create-google-app-guide.md](https://github.com/dwyl/elixir-auth-google/blob/master/create-google-app-guide.md)


#### GitHub Auth

Similarly, for GitHub Auth,
you will need to have these environment variables:
```sh
export GITHUB_CLIENT_ID=CreateGitHubApp
export GITHUB_CLIENT_SECRET=SuperSecret
```

Full instructions to create your GitHub App:
[create-github-app-guide.md](https://github.com/dwyl/elixir-auth-github/blob/master/create-github-app-guide.md)

#### Full List of Environment Variables

For the _full_ list of environment variables
the `Auth` App expects, see:
[`.env_sample`](https://github.com/dwyl/auth/blob/master/.env_sample)


For completing the setup of the `Auth` App,
you will need to have the `ADMIN_EMAIL`
environment variable defined. <br />
And for sending emails you will need the
`SECRET_KEY_BASE` and `EMAIL_APP_URL` defined.


### 4. Create and migrate your database:

> Ensure that PostgreSQL is running
  on your localhost before you
  run this command.

```sh
mix ecto.setup
```

### 5. Start Phoenix App

```sh
mix phoenix.server
```

**Note**: It may take a minute to compile the app the first time. ⏳

Once the Phoenix App is compiled/running,
you can visit [`localhost:4000`](http://localhost:4000) from your browser.


### 6. Check application status

Visit [`localhost:4000/init`](http://localhost:4000/init) to make sure that
all the environment variables are properly defined:

![image](https://user-images.githubusercontent.com/194400/152709372-6496b83d-4a8a-4a14-ba5f-f41645fe8c1c.png)


<br />

### Dependencies

This project builds on the _fantastic_ work done _many_
people in the Elixir/Phoenix community.


+   Phoenix default session handling
(_so your app handles sessions for authenticated users the same way
  the example apps in all the Phoenix docs_)
+   GitHub OAuth2 Authentication: <https://github.com/dwyl/elixir-auth-github>
+   Google OAuth Authentication: <https://github.com/dwyl/elixir-auth-google>


<br />

### Email + Password Registration / Login

This diagram depicts the flow:

<img width="1470" alt="registration-login-email-password-flow-diagram" src="https://user-images.githubusercontent.com/194400/81224631-e8891b80-8fdf-11ea-8e75-e3751d407b38.png">

[Edit this diagram](https://docs.google.com/presentation/d/1PUKzbRQOEgHaOmaEheU7T3AHQhRT8mhGuqVKotEJkM0/edit#slide=id.g7745f61495_0_0)



### Email

When people register with their `email` address
or authenticate with a 3rd party Authentication provider (e.g: Google),
an email is sent to the `email` address welcoming them.
The `Auth` App uses an external email service
for sending emails:
  <https://github.com/dwyl/email>

![app-services-diagram](https://user-images.githubusercontent.com/194400/77526292-41628180-6e82-11ea-8044-dacbc57ba895.png)

[Edit this diagram](https://docs.google.com/presentation/d/1PUKzbRQOEgHaOmaEheU7T3AHQhRT8mhGuqVKotEJkM0/edit#slide=id.g71eb641cbd_0_0)

The Email app provides a simplified interface for sending emails
that ensures our main App can focus on it's core functionality.

<br /> <br />

## Frequently Asked/Answered Questions

### Why NOT Use a Service Like Auth0, Cognito, Stormpath, etc?

There are _several_ "Authentication-as-a-Service" providers
which promise to solve all your auth worries with a few clicks.
They are _fine_ for people/projects who _don't_ mind
sending personally identifiable information to a 3rd party service.
We care about privacy so we _have_ to know _exactly_ where
the login details (_Email Address, Name, etc._) of people _using_
our apps is _stored_.

If you prefer to use (_and pay for_)
one of the existing
["black box"](https://en.wikipedia.org/wiki/Black_box)
services
and "not have to think about auth" then go for it!

_This_ repo/project is for people who _do_ want to think about auth,
want to _know_ where sensitive data is stored and want to
be able to extend the code if they choose to.

### Phoenix Has a Session System, Does this _Use_ It?

Phoenix has a built-in mechanism for sessions:
  <http://www.phoenixframework.org/docs/sessions>

This project _uses_ and _extends_ it to support several 3rd party auth services.

<br /><br />

### Troubleshooting

If you see the following error error 
when visiting the status (_or any other page_):
http://localhost:4000/status
![image](https://user-images.githubusercontent.com/194400/152191803-e7127118-7107-40aa-aaa7-a4618726b689.png)

You forgot to create and export the 
`SECRET_KEY_BASE`
environment variable.

Create a [secret](https://hexdocs.pm/phoenix/Mix.Tasks.Phx.Gen.Secret.html)
by running the following command in your terminal:

```sh
mix phx.gen.secret
```

Copy the output and export it, e.g:

```sh
export SECRET_KEY_BASE=mAfe8fGd3CgpiwKCnnulAhO2RjcSxuFlw6BGjBhRJCYo2Mthtmu/cdIvO3Mz1QU8
```

Where the long string 
is whatever was generated above.
Once the 
`SECRET_KEY_BASE`
environment variable is exported
and you restart the app,
it should work as expected.



## Background Reading

If you are new to Authentication, 
we recommend checkout out these great resources

+   Auth Boss: <https://github.com/teesloane/Auth-Boss>
+   Introduction to OAuth2: <https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2>

![wake-sleeping-heroku-app](https://dwylauth.herokuapp.com/ping)