mmmrrr
Channels and authentication: what about token theft and how is it solved in LiveView?
I just read Channels — Phoenix v1.8.8 again and some threads regarding the authentication in channels and now I’m confused.
As far as I understand it you should never expose authentication credentials to any part of a website that can be read by JS since an attacker could use this information to access your API. But in the docs it is described to render a Phoenix.Token into the site and use that to connect to the channel.
I understand that websocket connections are vulnerable to cross-origin attacks, so you cannot simply access the session.
And now I wonder how to do this securely? Because on one hand we cannot access the HTTP-Only session cookie and on the other rendering the Phoenix.Token would be vulnerable against cross site scripting if I’m not mistaken…
Also in LiveView I noticed that the second parameter for “mount” is actually session. How is that implemented? Is that the reason, we have to pass a csrf token? Could this technique also be used in channels?
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance










