Consider providing cookie / session based mechanism for API applications

[acrolink]

The current behavior of phauxth installer is to provide either:

1. Session based authentication if the application is HTML based.
2. Token based authentication if the api switch is used.

It would be nice to have additional switch for the installer to specify a JSON API setup based on session / cookie storage (not tokens) since storing the token inside a session cookie provided best security (compared to storing it for example in local storage by the client side JS application).

You are welcome to join the discussion here:
Sending cookies for stateless SPA authentication using JWT

[vloaix]

It is not a switch for the installer, but this?

Also, I think it has made clear that using JWT for client auth is not a good idea in several elixirforum's discussions.

[riverrun]

I'm really busy at the moment, but early June I should be able to address this. Sorry for the delay.

[riverrun]

I can update the Phauxth Authenticate plug to handle tokens that are stored in cookies. Is that what you want?

[acrolink]

@riverrun, I think it would be nice to allow storing and reading the tokens from cookies. I have already done that within Guardian and it is working fine.

[riverrun]

I have added information about how to customize Authenticate.Token to the documentation for that module, and there is also an example module in the custom_authenticate.exs file (Phauxth.AuthenticateTokenCookie).