LiveView Security with phx.gen.auth

I’ve used mix phx.gen.auth to create an authentication system. Now the user session/reset password is part of the non-LiveView app while most authenticated points are “live”. The only exception is the UserSettings portion of the auth. I’d like these to be “live” as well.

The first thing I tried was moving the “update password” feature to live. So I made a LiveComponent to open a modal and, using phx-trigger-action, I can validate inside the LiveView component and then submit it to the UserSettingsController to handle clearing the session and re-logging in the user. Then it’ll kick me back to the live session.

This all works fine, but I can’t help wonder if there may be a security issue here.

  1. Is it safe to send the new password this way?

  2. When the form validates, it automatically clears the password fields. I then have to repopulate the values using socket.assigns before submitting over HTTP. Is there an issue with having the passwords in the assigns or manually set using the value attribute?