Standard Process For Authenticating Cowboy Requests

Hi everyone–question title says it all.

What’s the best way to authenticate REST requests to a cowboy server existing on the public internet? (Meaning: NOT shielded within a private VPC/API Gateway–requests are made directly to its host/public ip address).

Thanks!

Hi there,

I’m afraid it strongly depends on the details of what you’re trying to do. Basic auth, API key, oauth, JWT are all possible choices, and more! Since cowboy is a general purpose HTTP server, any of these is doable, with differing degrees of difficulty. It depends on what you’re trying to protect and from whom.

Let’s say I wanted to enable basic auth keys and/or JWT tokens, is there a requirement to maintain some form of backend that handles token refreshes/revocations/verifications? Or does Cowboy do this out of the box?

As far as I know there’s nothing out of the box in cowboy.

  1. Basic auth is pretty easy. Here’s a good example I found.
  1. A JWT can be validated with JOSE. It’s more involved but very reliable once you get it set up. And has some added security benefits such as an expiration. Generating the JWT is a client side thing so it depends on what language your client lives in. If it’s Erlang then you can also use JOSE

Here is a better basic auth example:

You can of course change the implementation of is_authorized/2 to implement any authn mechanism you want.

1 Like

I found JOSE really hard to use. Are there any good examples?

Eventually gave up and wrote my own JWT validation (which isn’t particularly hard).

I admit I’ve only used it via the Elixir Joken project. One could probably inspect that project’s usage of jose

I made foodog to abstract over jose. Slightly opinionated but it simplifies the api to just generate and verify.

1 Like