// the find
pow-auth/pow
Robust, modular, and extendable user authentication system
Pow is a session-based authentication library for Phoenix and Plug apps. It handles registration, login, password reset, email confirmation, and persistent sessions through a modular extension system. It's aimed at Phoenix developers who want something more structured than rolling their own auth but less opinionated than something like Guardian.
The extension architecture is well thought out — each extension (PowResetPassword, PowEmailConfirmation, etc.) contributes its own migrations, routes, templates, and controller callbacks cleanly, so you're not fighting a monolith. The session plug is properly designed: tokens rotate on privilege changes and refresh every 15 minutes by default, which is better session hygiene than most auth libraries bother with. MnesiaCache for distributed session storage is a genuine advantage over Redis-required solutions, with built-in netsplit recovery via Unsplit. The customization surface is deep without requiring forks — you can swap password hashers, plug implementations, cache backends, route callbacks, and flash messages all through configuration.
The last push was January 2025 and activity has been minimal for over a year, which matters for a security library — you want someone watching CVEs. OAuth/social login is punted to a separate library (PowAssent), which means two dependency surfaces to vet instead of one. Mnesia is the recommended production session backend, which is fine for single nodes but genuinely painful in containerized or ephemeral environments where disk state is unreliable; the Redis guide is buried and not a first-class path. The user schema coupling to Ecto is deep by design, so if your user lives in a non-Ecto context (external service, different DB) you're fighting the library from day one.