Are you aware of a general purpose user management application that can be used as a dependency in Erlang so I wouldn’t have to implement common functionality/logic?
I have a small web app (using cowboy, but in some ways that shouldn’t matter) that I’d like to add user specific functionality, such as sign up, log in, update account info, etc… If I were to write this, I would probably first write some generally useful CRUD/authentication/etc. that has nothing to do with my specific app, and then customize its use for my case. So that led me to thinking someone could have already done it; hence, the question.
I looked around but couldn’t find anything in Erlang, but did find Pow for Elixir/Phoenix that does that and some more. Is there anything existing, even more bare bones for Erlang?
Note: I’m trying to avoid running another service like a directory server, HTTP service (which could also be in another programming language), or similar.
It is quite some work to get proper (and secure) authentication working for a site.
That is why we use Zotonic to build websites, which has all this built-in.
There is no standard library for this, I guess not in the least because there is no standard library for the templates and controllers. Of course pow uses the Phoenix web framework, which makes it possible to expect a somewhat standardized environment. Just like Zotonic modules can expect a standardized environment.
For proper user management and authentication, you will need:
Username / password identification
Password reset emails
Identity management
Access control - users/groups/etc.
Secure cookie handling
2FA
Rate limiting
Session management (language, timezone, etc)
And then the usual things like:
User profile (multilingual)
Merging accounts
Multiple identities per user (email and other)
Sign up flow
Sign up via 3rd party sources (FB, Tw etc)
OAuth2 access tokens, integrated with user management
Single sign on: use your site as an identity provider
We use an authentication system where the client manages the authentication cookie by periodically refreshing it using a specialized controller. The auth cookie is used by the other endpoints (websocket/mqtt and https) for identifying the user.
The auth cookie is secure and strict. So the client side code reloads the page if a visitor turns out to be authenticated after the initial page load (which happens without strict cookies).
OAuth2, 2FA, rate-limiting, and signup have their own modules. Identity management and password checks are primarily done via the core m_identity model.
Thanks for the detailed response and links to the code - much appreciated. Also it makes sense that Pow takes advantage of the Phoenix framework for templates, etc… Such software doesn’t exist in a vacuum and relies on its own dependencies and environment; though I wonder if there’s a balance in which most of the domain specific part of the common functionality you list is more easily (or at all) reused in different contexts. In my mind, ideally there’s a dependency I start with my own options (e.g. yes 2fa, no oauth2, no 3rd party, etc.) and I hook it up to whatever environment - storage, templates, etc. - I’m integrating it in, instead of having to re-implement everything from scratch. There could be pre-baked shiims for Zotonic, Phoenix, etc… But perhaps such lines aren’t easy to draw.