Comments (6)
I think it's probably better to provide a hook into Turbo::StreamsChannel to provide authentication. Because having long-expiry tokens make them safe for caching/long-running socket connections. If you want to explore a callback in there and a configuration to go with it 👍
from turbo-rails.
Makes sense. Will look into it next week 👍
from turbo-rails.
Finally had some time to look into this but I'm unsure about how to proceed.
So here are my current thoughts.
Where should we be able to tap into using a callback?
My first idea was adding two callbacks mirroring the ActionCable connection/channel split but couldn't think of any case where the callback within the connection is necessary.
Another idea was providing generic before/after callbacks but I think the would be to broad and add unnessecary complexity.
So in the end I settled with providing a single callback into the Channel after verifing the stream name.
What type of information should we provide?
I would go with providing the actual ActionCable channel. It's public API anyways and providing only some parts of the channel (e.g. only params, cookies) will add unnecessary friction both for the user and maintainers.
I would like to provide a version of the stream name unpacked back into the provided streamables. Given how the stream name is currently generated we cannot fully restore the streamables so this could be a surprising. As of now only objects supporting global ids could be restored, everything else would just be strings. Additionally this would mean we need to escape our joining character within the streamables. At the moment we use :
as joining character which often is used in #to_param
(e.g. message:<id>
).
Can/Should we drop signing channel names with a authentication callback in place?
No, I don't think so. Keeping signed channel names gives us another line of defense and keeps the callback an entirely optional addition. Often those signed channel names should be good enough security measure.
Alternatives to consider
Instead of providing this callback we could go the ActiveStorage route and add documentation how to override Turbo::StreamsChannel
in order to provide a higher level of protection.
from turbo-rails.
I think we might be overthinking it. We could make the StreamsChannel inherit from ApplicationChannel instead of ActionCable::Channel::Base, then all the authorization setup there would automatically apply.
from turbo-rails.
Is inheriting from ApplicationCable::Channel
even necessary?
Normally some generic authorization setup would happen in ApplicationCable:Connection
anyways and if I recall this correctly turbo-rails
uses it automatically.
Which means we have basic authorization support out of the box - and given that something like fine-grained authorization is normally highly application specific - probably enough.
from turbo-rails.
You're right @MSNexploder. Agree that this is where this logic should live anyway.
from turbo-rails.
Related Issues (20)
- Content duplication on using render in controllers HOT 1
- Chrome reloads assets in the Link preload header HOT 1
- Uglifier::Error during assets:precompile HOT 2
- Turbo not streaming changes properly / window.Turbo is undefined HOT 3
- InstaClick prefetch not working with fragment cache
- Prefetch causes turbo stream to render on hover instead of on click HOT 4
- Inverted parameters in stream responses HOT 2
- unexpected routes added as part of the turbo rails gem HOT 3
- When streaming from a worker, path helpers append a domain `https://example.com` HOT 5
- Turbo Documentation need a "Broadcast" chatper
- Refresh broadcasts generated without changes
- Incompatible with Solid_Queue HOT 1
- turbo_frame_request_id safe operator in not handled correctly HOT 2
- Shouldn't broadcast refresh if streamables == [nil] HOT 1
- @npezza93 ActiveRecord::RecordNotFound in MembersController#edit_description
- FORM with an action URL containing a query param is not submitted. HOT 1
- Mixed Content Error with Turbo Drive
- OT: Attackers might be trying to steal your information from discuss.hotwire.dev HOT 2
- Turbo refresh can hijack user navigation HOT 3
- import "@hotwired/turbo-rails" errors HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from turbo-rails.