I’m assuming the answer is ‘yes’, but I need confirmation.
Is the socket private to the server/code? For example, if I assign user info to the socket, that information will not change until I explicitly change it and a malicious user can’t do something on their end to change it?
The answer to your first question is yes, the socket state is controlled by a process on the server side. So only your server-side code can modify the socket state.
However, whether “a malicious user can do something on their end to change it” depends on the security of your implementation. A malicious user has complete control of the code running on their end (the JS client) and you should never assume that information coming from the client is valid or trustworthy.
So, for instance, if you naively set a user_id in your socket only because the client told you “this is my user id, trust me!” like this:
def handle_in("hello_msg", %{"user_id" => user_id}, socket) do
{:noreply, assign(socket, :user_id, user_id)}
end
You’re of course opening yourself up to every kind of exploit.
The general rule (in Phoenix or in any other web application) is: always assume that whatever comes from the client has been manipulated by an attacker 
I hope this helps
Thank you, that helps and brings me peace of mind
© Copyright Elixir Forum | Terms | Privacy & Cookies
