|
|
|
|
|
|
by QuinnWilton
3007 days ago
|
|
|
I've been coding Elixir professionally for a few years, and working in security for longer, and I recommend against using Coherence for anything but toy apps. It's a fairly full-featured Devise-substitute, but the code quality isn't great, and a lot of the less-used features haven't had any sort of real-world testing. There's been a few trivial, high-severity security vulnerabilities in it, and I wouldn't be surprised if more are hiding. For example, when I last read through the codebase it was common to find features that simply wouldn't work, because the code referenced hardcoded parts of the sample application. You'll also going to run into a lot of issues trying to migrate off of Coherence if you ever need to support anything other than form based username / password login. I think it really is worth the effort to go with Ueberauth [0]. You'll need to do more work upfront, but the maintainability gains will quickly pay off. You can even use :ueberauth_identy [1] to provide username / password based auth without too much trouble. [0] https://github.com/ueberauth/ueberauth [1] https://github.com/ueberauth/ueberauth_identity |
|
|
I don't agree about ueberauth though. It assumes too much knowledge on the part of the developer, and is insufficient if one is looking for a "plug and play" authentication solution. I used it with Guardian but in the end moved away from it because using JWTs for authentication is just not a good idea.