Skip to content

Commit 8aa0379

Browse files
committed
Fixed typos and semantic errors in the AUTHENTICATION.md.
Signed-off-by: Exadra37 <exadra37@gmail.com>
1 parent 0627fd4 commit 8aa0379

1 file changed

Lines changed: 9 additions & 10 deletions

File tree

elixir/phoenix/AUTHENTICATION.md

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
Phoenix ships with an [Authentication code generator](https://hexdocs.pm/phoenix/mix_phx_gen_auth.html), which will be the preferred to use in any project that requires authentication unless the user or the project README says otherwise.
44

5-
**IMPORTANT:** Before adding Authentication as instructed here, an Intent needs to be created with instruction from points 2. and 3. of this document, with user approval. The Intent **MUST** be created as specified by the INTENT_SPECIFICATION.md and exemplified by the INTENT_EXAMPLE.md.
5+
**IMPORTANT:** Before adding Authentication as instructed here, an Intent needs to be created with instructions from points 2. and 3. of this document, with user approval. The Intent **MUST** be created as specified by the INTENT_SPECIFICATION.md and exemplified by the INTENT_EXAMPLE.md.
66

77
## 1. Overview
88

@@ -11,19 +11,18 @@ The generator by default:
1111
* uses magic links, not email and password combo, but it can be enabled by the user after email confirmation.
1212
* adds the routes to `router.ex`.
1313
* adds the tests.
14-
* adds a [Scope](https://hexdocs.pm/phoenix/mix_phx_gen_auth.html#scopes) module since Phoenix 1.8. The `%Scope{}` is then passed calls to the business logic layer (`lib/my_app/*`) to prevent unauthorized access to other users resources.
14+
* adds a [Scope](https://hexdocs.pm/phoenix/mix_phx_gen_auth.html#scopes) module since Phoenix 1.8. The `%Scope{}` is then passed in calls to the business logic layer (`lib/my_app/*`) to prevent unauthorized access to other users resources.
1515
* doesn't include a production mailer.
1616

1717
## 2. How to Install
1818

1919
1. Run `mix phx.gen.auth Accounts.Users User users --live --hashing-lib argon2 --web Accounts.Users`.
2020
2. Run `mix deps.get`.
21-
4. Run `mix ecto.migrate`.
22-
5. Run `mix ecto.migrate`.
21+
3. Run `mix ecto.migrate`.
2322

2423
## 3. How to Add Routes that Require Authentication
2524

26-
For example, when you create a LiveView with `mix phx.gen.live Catalogs.Products Product products name:string desc:string --web Catalogs.Products` then it will ask you to add this routes:
25+
For example, when you create a LiveView with `mix phx.gen.live Catalogs.Products Product products name:string desc:string --web Catalogs.Products` then it will ask you to add these routes:
2726

2827
```elixir
2928
scope "/catalogs/products", MyAppWeb.Catalogs.Products do
@@ -53,15 +52,15 @@ scope "/catalogs/products", MyAppWeb.Catalogs.Products do
5352
end
5453
```
5554

56-
**CRITICAL:** For security reasons you **MUST** use always the `on_mount` with `:require_authenticated`. You **MUST NOT** use the `on_mount` with `:mount_current_scope` unless explicitly asked by the user. The use of `:mount_current_scope` will not protect the route at the router level when an attacker replays an authenticated request, instead it will crash somewhere else on the code base where the current scope needs to be used and it's `nil`, which can be at business layer level, before doing a database request. It's enough for the developer or AI agent to not use a scope in the query to make the attacker happy.
55+
**CRITICAL:** For security reasons you **MUST** always use the `on_mount` with `:require_authenticated`. You **MUST NOT** use the `on_mount` with `:mount_current_scope` unless explicitly asked by the user. The use of `:mount_current_scope` will not protect the route at the router level when an attacker replays an authenticated request, instead it will crash somewhere else in the code base where the current scope needs to be used and it's `nil`, which can be at the business layer level, before doing a database request. It's enough for the developer or AI agent to not use a scope in the query to make the attacker happy.
5756

58-
The live session was named `:catalogs_products_require_authenticated_user`, as per the above pattern, which guarantees that it will be always unique in the router.
57+
The live session was named `:catalogs_products_require_authenticated_user`, as per the above pattern, which guarantees that it will always be unique in the router.
5958

60-
Notice, that each live route had `products` removed from it, which its required when we use the option `--web` with the format `-web <DomainPlural>.<ResourcePlural>`, e.g. `--web Catalogs.Products`. This is because of a bug in the code generators that will create routes with the resource duplicated in the path, that in this case was `/catalogs/products/products/...`.
59+
Notice, that each live route had `products` removed from it, which is required when we use the option `--web` with the format `-web <DomainPlural>.<ResourcePlural>`, e.g. `--web Catalogs.Products`. This is because of a bug in the code generators that will create routes with the resource duplicated in the path, that in this case was `/catalogs/products/products/...`.
6160

62-
Now its also required to fix all routes created by the code generator in other files, and to fix them:
61+
Now it's also required to fix all routes created by the code generator in other files, and to fix them:
6362
1. You **MUST** run `mix compile` to find all module files with routes to be fixed.
64-
2. You **MUST** then create a list of files from the the output of `mix compile` that have routes to be fixed.
63+
2. You **MUST** then create a list of files from the output of `mix compile` that have routes to be fixed.
6564
3. You **MUST** feed the list of files to a **find and replace tool** (e.g. `find` in Linux), to fix all routes in only one pass. You **MUST NOT** try to fix one module at a time, because that will be an exhaustive and time consuming task.
6665

6766
## 4. How to Add a Production Mailer

0 commit comments

Comments
 (0)