PhoenixTokenAuth
================

Adds token authentication to Phoenix apps using Ecto.

## Setup
You need to have a user model with at least the following schema:

```elixir
defmodule MyApp.User do
  use Ecto.Model

  schema "users" do
    field  :email,                       :string
    field  :hashed_password,             :string
    field  :hashed_confirmation_token,   :string
  end
end
```

Then add PhoenixTokenAuth to your Phoenix router:

```elixir
defmodule MyApp.Router do
  use Phoenix.Router
  require PhoenixTokenAuth

  pipeline :authenticated do
    plug PhoenixTokenAuth.Plug
  end

  scope "/api" do
    pipe_through :api

    PhoenixTokenAuth.mount
  end

  scope "/api" do
    pipe_through :authenticated
    pipe_through :api

    resources: messages, MessagesController
  end
end
```
This generates routes for sign-up and login and protects the messages resources from unauthenticated access.

The generated routes are:

method | path | description
-------|------|------------
POST | /api/users | sign up
POST | /api/users/:id/confirm | confirm account
POST | /api/session | login, will return a token as JSON

Inside the controller, the authenticated user's id is accessible inside the connections assigns:

```elixir
def index(conn, _params) do
  user_id = conn.assigns.authenticated_user.id
  ...
end
```

Now add configuration:
```elixir
# config/config.exs
config :phoenix_token_auth,
  user_model: Myapp.User,                                                    # ecto model used for authentication
  repo: Myapp.Repo,                                                          # ecto repo
  crypto_provider: Comeonin.Bcrypt,                                          # crypto provider for hashing passwords/tokens. see http://hexdocs.pm/comeonin/
  token_secret: "the_very_secret_token",                                     # secret string used to sign the authentication token
  token_validity_in_minutes: 7 * 24 * 60                                     # minutes from login until a token expires
  email_sender: "myapp@example.com",                                         # sender address of emails sent by the app
  welcome_email_subject: fn user -> "Hello #{user.email}" end,               # function returning the subject of a welcome email
  welcome_email_body: fn user, confirmation_token -> confirmation_token end, # function returning the body of a welcome email
  mailgun_domain: "example.com"                                              # domain of your mailgun account
  mailgun_key: "secret"                                                      # secret key of your mailgun account
```


## Usage

### Signing up / Registering a new user
POST request to /api/users.
Body should be JSON encoded `{user: {email: "user@example.com", password: "secret"}}`.
This will send an email containing the confirmation token.

### Confirming a user
POST request to /api/users/:id/confirm
Body should be JSON encoded `{confirmation_token: "token form the email"}`
This will mark the user as confirmed and return an authentication token as JSON: `{token: "the_token"}`.

### Logging in
POST request to /api/sessions
Body should be JSON encoded `{email: "user@example.com", password: "secret"}`
Will return an authentication token as JSON: `{token: "the_token"}`

### Requesting a protected resource
Add a header with key `Authorization` and value `Bearer #{token}` to the request.
`#{token}` is the token from either account confirmation or logging in.

### Logging out
Logging out is completely client side. Just stop sending the `Authorization` header.





## TODO:
* Better documentation
* Email confirmation of accounts
* Password resetting
* Validations of email and password (format, length, ...)