Comments (6)
I think it's probably better to provide a hook into Turbo::StreamsChannel to provide authentication. Because having long-expiry tokens make them safe for caching/long-running socket connections. If you want to explore a callback in there and a configuration to go with it 👍
from turbo-rails.
Makes sense. Will look into it next week 👍
from turbo-rails.
Finally had some time to look into this but I'm unsure about how to proceed.
So here are my current thoughts.
Where should we be able to tap into using a callback?
My first idea was adding two callbacks mirroring the ActionCable connection/channel split but couldn't think of any case where the callback within the connection is necessary.
Another idea was providing generic before/after callbacks but I think the would be to broad and add unnessecary complexity.
So in the end I settled with providing a single callback into the Channel after verifing the stream name.
What type of information should we provide?
I would go with providing the actual ActionCable channel. It's public API anyways and providing only some parts of the channel (e.g. only params, cookies) will add unnecessary friction both for the user and maintainers.
I would like to provide a version of the stream name unpacked back into the provided streamables. Given how the stream name is currently generated we cannot fully restore the streamables so this could be a surprising. As of now only objects supporting global ids could be restored, everything else would just be strings. Additionally this would mean we need to escape our joining character within the streamables. At the moment we use :
as joining character which often is used in #to_param
(e.g. message:<id>
).
Can/Should we drop signing channel names with a authentication callback in place?
No, I don't think so. Keeping signed channel names gives us another line of defense and keeps the callback an entirely optional addition. Often those signed channel names should be good enough security measure.
Alternatives to consider
Instead of providing this callback we could go the ActiveStorage route and add documentation how to override Turbo::StreamsChannel
in order to provide a higher level of protection.
from turbo-rails.
I think we might be overthinking it. We could make the StreamsChannel inherit from ApplicationChannel instead of ActionCable::Channel::Base, then all the authorization setup there would automatically apply.
from turbo-rails.
Is inheriting from ApplicationCable::Channel
even necessary?
Normally some generic authorization setup would happen in ApplicationCable:Connection
anyways and if I recall this correctly turbo-rails
uses it automatically.
Which means we have basic authorization support out of the box - and given that something like fine-grained authorization is normally highly application specific - probably enough.
from turbo-rails.
You're right @MSNexploder. Agree that this is where this logic should live anyway.
from turbo-rails.
Related Issues (20)
- Mixed Content Error with Turbo Drive
- OT: Attackers might be trying to steal your information from discuss.hotwire.dev HOT 2
- Turbo refresh can hijack user navigation HOT 3
- import "@hotwired/turbo-rails" errors HOT 1
- Using data-turbo-confirm on plain (non-form) buttons HOT 3
- Adding stimulus breaks a test HOT 1
- how do you install turboframes into a rails 5 project that migrated to rails 7 using only sprockets (skipping all the webpack & 6 bs)? HOT 2
- What are the controls effected before injecting `text/vnd.turbo-stream.html`?
- turbo_stream.remove_all Not generating proper selector for targets.
- idiomorph merges attributes on `<turbo-cable-stream-source>` and `connectedCallback()` doesn't run HOT 2
- Add morph to StreamActions HOT 5
- how do I batch multiple turbo stream broadcasts?
- <turbo-cable-stream-source> tag can affect visual layout HOT 1
- broadcast_update_to partial should be smarter and extract the inner_html, it feels like a bug
- Turbo not loading on Safari in production HOT 1
- Any Security Constraints to turbo_method: 'post' functionality?
- using the view transitions API? HOT 1
- Unable to render layouts when using inline turbo stream responses
- 8.0.5: cdn (and thus importmap pins) has broken import paths "CbGBsmqA.js" instead of cable.js
- Turbo Frame + Nginx Cache + data-action-advance
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from turbo-rails.