Bouncer: Token-based authorization and session management for Phoenix
I just finished a first pass at writing my own Elixir library to handle authorization and session management. I’ll be using it to authorize API requests for an upcoming application I’m building using the Phoenix framework and Ember.js. There are a few good options in Elixir land that you can use to help solve this problem but I decided to roll my own to precisely fit my use case. I explain my reasoning in the Bouncer README:
Guardian also wouldn’t work because it uses JSON Web Tokens (JWT) as the basis for it’s authorization scheme. JWT can work but I don’t believe it’s a better system than the traditional session-based system. Guardian doesn’t provide a way of immediately invalidating user sessions which is something I would like to do if a user resets their password. I also think a user should be given the ability to invalidate individual sessions (GitHub handles this nicely).
Bouncer isn’t a drop-in solution like Devise is for Ruby on Rails. It’s a library that allows you to use what you need and discard what you don’t. I wanted to provide flexibility while not requiring a whole lot of configuration so you could set up your user flow however you’d like. I also left out things like password authentication since libraries like Comeonin already cover this functionality so well.
Currently, I’m working on v0.1.0 which is a significant refactor and adds functionality to help with email verification and resetting passwords. I’d appreciate any feedback as I continue to work on Bouncer and get it production-ready.