Authenticate user using session or params (uses session keys stuff from Authlogic in Rails). **NOTE: this is does no authorization, another plug needs to be written to require conn.assigns[:authorized_user] is set or that they have permissions to read records**

authenticate.ex

defmodule Metasploit.Pro.Plugs.Authenticate do
  import Ecto.Query, only: [from: 2]
  import Plug.Conn

  def init(configuration) do
    configuration
    |> Keyword.put_new(:single_access_token_parm, "single_access_token")
    |> valid_configuration!
  end

  defp authenticate_user(user, conn) do
    assign(conn, :authenticated_user, user)
  end

  def call(conn, configuration) do
    query(conn, configuration)
    |> user
    |> authenticate_user(conn)
  end

  defp query(conn, configuration) do
    single_access_token_param = configuration[:single_access_token_param]

    query(conn, configuration, %{ single_access_token: conn.params[single_access_token_param] })
  end

  defp query(conn, configuration, %{ single_access_token: nil }) do
    persistence_token = case get_session(conn, configuration[:user_credentials_session_key]) do
      nil -> nil
      user_credentials -> user_credentials |> String.split("::") |> hd
    end

    query(conn, configuration, %{ persistence_token: persistence_token })
  end

  defp query(conn, configuration, %{ single_access_token: single_access_token }) do
    from u in configuration[:user_model],
    where: u.single_access_token == ^single_access_token
  end

  defp query(conn, configuration, %{ persistence_token: nil }), do: nil

  defp query(conn, configuration, %{ persistence_token: persistence_token }) do
    from u in configuration[:user_model],
    where: u.persistence_token == ^persistence_token
  end

  defp user(nil), do: nil

  defp user(query) do
    Metasploit.Pro.Repo.one(query)
  end

  @spec valid_configuration!(Keyword.t) :: Keyword.t
  defp valid_configuration!(configuration) do
    configuration
    |> valid_user_credentials_session_key!
    |> valid_user_model!
  end

  @spec valid_user_credentials_session_key!(Keyword.t) :: Keyword.t
  defp valid_user_credentials_session_key!(configuration) do
    case configuration[:user_credentials_session_key] do
      nil -> raise ArgumentError, "#{__MODULE__} expects :user_credentials_session_key as option"
      _ -> configuration
    end
  end

  @spec valid_user_model!(Keyword.t) :: Keyword.t
  defp valid_user_model!(configuration) do
    case configuration[:user_model] do
      nil -> raise ArgumentError, "#{__MODULE__} expected :user_model as option"
      _ -> configuration
    end
  end
end

router.ex

defmodule Metasploit.Pro.Router do
  use Metasploit.Pro.Web, :router

  pipeline :authenticate do
    plug :fetch_session
    plug Metasploit.Pro.Plugs.Authenticate,
         single_access_token_param: "single_access_token",
         user_credentials_session_key: "mdm/user_credentials",
         user_model: Metasploit.Pro.User
  end

  pipeline :browser do
    plug :accepts, ["html"]
    plug :authenticate
    plug :fetch_flash
    plug :protect_from_forgery
  end

  pipeline :api do
    plug :accepts, ["json"]
    plug :authenticate
  end

  scope "/", Metasploit.Pro do
    pipe_through :browser # Use the default browser stack

    get "/", PageController, :index
  end

  scope "/api", Metasploit.Pro.Api, as: :api do
    pipe_through :api

    scope "/v1", V1, as: :v1 do
      resources "/users", UserController
    end
  end
end