Authentication is such a common problem, most production apps (apps that companies will pay to be made) need to deal with Authentication (and Authorization, more on that later), that is seems strange to me that it is not included at least as an option in frameworks such as rails or phoenix. Coming from Spring (which has the almighty Spring Security) it seems that something should be supplied, at least the bare mechanics that enable you to build your own. Some plug, for example, that gives the rough idea on how to go about implementing it with best practices in mind, or a generator, I think this may be more practical even then contexts. Not to bash contexts I like the idea, one of the reason I do not like rails (but love Hanami) is because of this, however, I think authentication is something that would be more practical. The following is an opionated review of three of the top packages to use when dealing with authentication in phoenix.
I know Authorization is a seperate concern, however, it is so commonly in combination that I feel the packages should include this, atleast as an optional part. Two of the three packages mentioned do not.
The most “standard” is guardian. It (in combination with Comeonin and Canary) seem to be the most popular route when building authentication in an app. And with good reason, it is the oldest of the three and is quite simple to use. It is very flexible, and the set up is very bare bones. It stays out of your way and allows you to set up your authentication process however you like. It is, in my opionion, a little verbose. I think an authentication library should be a little quicker to get running, ie. you have to write a serializer. Or atleast ship with some generation, as it is a fairly mundane thing to do.
I first heard of coherence from a client who wanted a simple app that had authentication. It is the polar opposite of guardian. It supplies generators has a vast array of options (invitable, recoverable, confirmable, etc) for its configuration, and I think that it is overkill. Unless the setup perfectly matches what you are looking to implement, I really wouldn’t use it. I think it is great to install and have a look at how the author sets up authentication, however, even being fairly big (generating quite a bit) it still doesn’t include authorization! I can kind of see why guardian keeps it seperate, it is very small, and mostly stays out of your way, but this package that generates quite a bit and is not very flexible or extensible (when compared to the other two, everything is flexible/extensible to a degree) I find it strange that it doesn’t come with authorization built in. I know it is not a popular opinion, but again, coming from Spring I am kind of spoiled - it is assumed that if you are using authentication then you will most likely need authorization. Anyway, I find this framework the most “finicky”, a lot of things to change if you want to get it working with your app that in anyway deviates from how the author works.
Out of my frustration with having used the previous two frameworks I browsed around and found this gem. It is written by the same fellow who wrote Comeonin, so even though it is not that popular at the moment, I have faith he will continue maintaining it and hopefully it gains some more momentum. This is a beautiful package, it is very very simple and at the same time powerful. It provides an easily extensible and flexible bit of code that is easy to understand and customize. And, it comes with authorization! I love it. You do not need to use authorization, but I typically need authorization if I am using authentication so it is great that both are packed in. Also, the authorization is so beautifully documented and simple that it makes adding your own methods to the supplied files very intuitive. I absolutely love working with this package, it is basically what I would do if I coded auth from scratch, and very idiomatic. Please check it out.
House Keeping/More to Come
So I wanted to get one thing out of the way in this post: I am back on emacs - this time with evil mode. I know I wrote a whole thing on vim this, vim that, but after trying to work in vim with Java, Kotlin, Elixir, Ruby, and C++ I found Elixir had better packages for this. Also, using Multiterm in Emacs is actually a bit better than tmux (IMHO). I wish that there was a tmux editor - something that would work like vim plugins for creating files and browsing directories or running REPLS a bit quicker than the commandline, and had vim integrated in the app, but emacs is basically filling that need for me now. I am happily using it instead of intellij for java, plus all other languages I need. I should mention, if you like VS Code RedHat makes a FANTASTIC package for working with Java. I would be using it if it wasn’t for VS Code lack of keyboard bindings like emacs - (C-c p
More is to come! I will be doing a tutorial on setting up basic auth with all three frameworks as soon as I have time, and getting repos up on github.