How to Protect Pages at the Controller Level

Coherence installation provides instructions for protecting pages at the router level. If you would rather authenticate at the controller level, please follow these instructions.

For an example, please visit CoherenceDemo controller-plugs branch.

Configure the router. Note that the call to plug Coherence.Authentication.Session simply places the current user in the conn for those pages that don't require authentication. This is required for some of the coherence controllers to work properly.

# web/router
defmodule CoherenceDemo.Router do
  use CoherenceDemo.Web, :router
  use Coherence.Router

  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_flash
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug Coherence.Authentication.Session
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  scope "/" do
    pipe_through :browser
    coherence_routes :all        # note the :all here
  end

  scope "/", CoherenceDemo do
    pipe_through :browser
    get "/", PageController, :index
    resources "/posts", PostController
    resources "/users", UserController
    put "/lock/:id", UserController, :lock
    put "/unlock/:id", UserController, :unlock
    put "/confirm/:id", UserController, :confirm
  end
end

In the controllers that require authentication, do the following:

defmodule CoherenceDemo.PostController do
  use CoherenceDemo.Web, :controller
  plug Coherence.Authentication.Session, protected: true

  # ...
end

Alternatively, if you would like to protect selected actions:

defmodule CoherenceDemo.PostController do
  use CoherenceDemo.Web, :controller
  plug Coherence.Authentication.Session, [protected: true] when action in [:create, :update, :new, :edit, :delete]

  # ...
end