How can I ensure that only requests with valid tokens are accepted?

[alishir]

Hi all,
I want to accept only requests with valid tokens and block all other requests. I added the following snippet to my endpoint.

defmodule TestWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :test

  ...
  plug Oidcc.Plug.ExtractAuthorization
  plug Oidcc.Plug.ValidateJwtToken,
    provider: Test.OidccConfigProvider,
    client_id: @client_id,
    client_secret: @client_secret,
    send_inactive_token_response: &TestWeb.Endpoint.halt_conn/1
   
 plug TestWeb.Router
end

It blocks requests that contain invalid tokens. However, it does not block requests that do not contain the Authorization: Bearer <token> header. I think we should raise an error or send an invalid response in the following line.

oidcc_plug/lib/oidcc/plug/validate_jwt_token.ex

Line 77 in c5609a6

def call(%Plug.Conn{private: %{ExtractAuthorization => nil}} = conn, _opts), do: conn

[maennchen]

@alishir We currently do not offer a plug to check if an authorization exists, only if it is valid.

For a lot of APIs, no auth is also valid and the result might just depend on if you’re logged in.

You‘ll therefore have to create your own plug to protect routes.

If you‘d like, I‘d be open for a PR that adds a new plug that does this.

[alishir]

Thanks a lot for your guidance. I will be happy if I could make any contribution. But before preparing a PR, are you okay with EnsureValidToken as a name and this modification?

def call(%Plug.Conn{private: %{ExtractAuthorization => nil}} = conn, _opts) do
  conn
  |> halt()
  |> send_resp(:unauthorized, "Token not provided")
end

[maennchen]

I‘m not sure if I like the name. How about RequireAuthorization?

Also make sure that the response can be modified.

See:

oidcc_plug/lib/oidcc/plug/validate_jwt_token.ex

Line 49 in c5609a6

send_inactive_token_response: (conn :: Plug.Conn.t() -> Plug.Conn.t())

Otherwise it sounds like you’re on a good path 👍