GuardianDb
GuardianDb is a simple module that hooks into guardian to prevent playback of tokens.
In vanilla Guardian, tokens aren’t tracked so the main mechanism that exists to make a token inactive is to set the expiry and wait until it arrives.
GuardianDb takes an active role and stores each token in the database verifying it’s presense (based on it’s jti) when Guardian verifies the token. If the token is not present in the DB, the Guardian token cannot be verified.
Provides a simple database storage and check for Guardian tokens.
- When generating a token, the token is stored in a database.
- When tokens are verified (channel, session or header) the database is checked for an entry that matches. If none is found, verification results in an error.
- When logout, or revoking the token, the corresponding entry is removed
Summary
| after_encode_and_sign(resource, type, claims, jwt) | After the JWT is generated, stores the various fields of it in the DB for tracking |
| after_sign_in(conn, ) | Callback implementation for |
| before_encode_and_sign(resource, type, claims) | Callback implementation for |
| before_sign_out(conn, ) | Callback implementation for |
| on_revoke(claims, jwt) | When logging out, or revoking a token, removes from the database so the token may no longer be used |
| on_verify(claims, jwt) | When a token is verified, check to make sure that it is present in the DB. If the token is found, the verification continues, if not an error is returned |
| repo() |
Functions
After the JWT is generated, stores the various fields of it in the DB for tracking
Callback implementation for c:Guardian.Hooks.after_sign_in/2.
Callback implementation for c:Guardian.Hooks.before_encode_and_sign/3.
Callback implementation for c:Guardian.Hooks.before_sign_out/2.
When logging out, or revoking a token, removes from the database so the token may no longer be used
When a token is verified, check to make sure that it is present in the DB. If the token is found, the verification continues, if not an error is returned.