When I started using elixir on all my personal work around a year ago, authentication was the part I always ended up rebuilding time after time. I ended up making AccessPass with a couple goals in mind.

Very fast token solution that does not require hitting the database each request. Unlike normal token solutions I still wanted to be able to revoke tokens. Very easy setup to get integrated into an existing project covers all the things no one like to have to remake(confirmation emails/password reset/forgot username)

Before I go any further I should mention that AccessPass is very opinionated in that it requires postgres and follows a user schema provided inside AccessPass. These decisions may not be right for everyone but I tried to add some customization options in order to negate some of my own personal choices. There are a lot of other authentication libraries out there if AccessPass ends up to opinionated for you.

Under the hood

AccessPass uses the idea of opaque tokens(tokens are just a key to user data on the server). AccessPass sets up numerous ETS tables that handle housing all data and expiring tokens after a configured amount of time. Out of the box AccessPass provides an access_token that last 5 minutes and refresh_token that does not expire. I personally recommend you you leave access_token expiration to 5 minutes as it makes someone else getting their hands on your access_token much less a big deal.

AccessPass provides a Plug to validate an access_token in headers and secure api routes.

One thing to note is unlike some authentication libraries you can use AccessPass outside of phoenix as there is no direct dependency.

but anyways enough of me talking about it lets jump into some code so you can see just how easy it is.

Getting started with phoenix

Getting started in phoenix is as simple as doing the following:

First add access_pass to your deps. You may also need to add the override on poison to clear up any conflicts.

Add the above to your configuration file. If you do not fill in the mailgun stuff sending confirmation emails will not work but AccessPass will not break. Check here for all other configuration options.

Next, you need to create a user migration

mix ecto.gen.migration add_users

copy and paste below into your new migration(below is located in priv/repo/migrations/example_migration.exs in AccessPass) for all future projects.

now that we got all the boring setup out of the way you can actually use AccessPass:

After getting through all the configuration AccessPass is as easy as dropping 2 lines in your router file. The above gets you all this.

From this point you are all good to go and have all the endpoints you need for a full authentication solution.

Authorize routes

In the above gist is an example of authorizing all routes that start with /admin. You could use the plug Auth in your controllers directly if you do not want to do auth in a pipeline but I prefer it in pipelines.

Wrapping up

After a bit of boring configuration you can really see how easy AccessPass is to use. I will probably do more blog post in the future as there are a lot of things you can configure and change with how everything works. I am using AccessPass in all of my current projects and intend to keep improving it for future use. Here is the github and pull requests are always welcome! Lastly if you are going to give AccessPass a try I recommend going through the crash course on hex.