Bouncer: Token-based authorization and session management for Phoenix

Photo by Susan Sermoneta. Some rights reserved.

I just finished a first pass at writing my own Elixir library to handle authorization and session management. I’ll be using it to authorize API requests for an upcoming application I’m building using the Phoenix framework and Ember.js. There are a few good options in Elixir land that you can use to help solve this problem but I decided to roll my own to precisely fit my use case. I explain my reasoning in the Bouncer README:

I needed a way to authorize API requests to my Phoenix application. Addict didn’t fit the bill since it uses Phoenix’s built-in session system. Phoenix uses cookies to authorize requests but when dealing with an API, it’s easier to deal with an Authorization header. Phoenix’s session system also uses memory or ETS to store session data and this wouldn’t work for my application which will be scaled horizontally and so will be running on multiple machines. Redis is great at solving this problem because it’s crazy-fast and can be accessed by multiple machines. The ecosystem around Redis is strong so working with the session data is pretty easy.
Guardian also wouldn’t work because it uses JSON Web Tokens (JWT) as the basis for it’s authorization scheme. JWT can work but I don’t believe it’s a better system than the traditional session-based system. Guardian doesn’t provide a way of immediately invalidating user sessions which is something I would like to do if a user resets their password. I also think a user should be given the ability to invalidate individual sessions (GitHub handles this nicely).

Bouncer isn’t a drop-in solution like Devise is for Ruby on Rails. It’s a library that allows you to use what you need and discard what you don’t. I wanted to provide flexibility while not requiring a whole lot of configuration so you could set up your user flow however you’d like. I also left out things like password authentication since libraries like Comeonin already cover this functionality so well.

Currently, I’m working on v0.1.0 which is a significant refactor and adds functionality to help with email verification and resetting passwords. I’d appreciate any feedback as I continue to work on Bouncer and get it production-ready.