LiveView issue in my app: old tabs show a state that will allow them to make updates that shouldn’t be allowed

goblin · October 6, 2022, 4:15pm

Hi everyone! I’m having trouble figuring out a state bug I’m experiencing with LiveView. Does anyone have time to pair or suggestions on fixing this bug?

Summary:
If the tab has been open for a long time and the user returns to it, it shows an old state and will allow them to make updates that shouldn’t be allowed (e.g. a user completes the same sidequest twice so they get 2x the points for it).

Versions:
{:phoenix, “~> 1.6.10”},
{:phoenix_html, “~> 3.0”},
{:phoenix_live_reload, “~> 1.2”, only: :dev},
{:phoenix_live_view, “~> 0.17.7”},

tj0 · October 6, 2022, 5:32pm

Have you tried implementing form recovery? I had the same issue with incorrect state, so I had to store some extra hidden fields and made an extra function to handle the reconnect.

https://hexdocs.pm/phoenix_live_view/form-bindings.html#recovery-following-crashes-or-disconnects

goblin · October 6, 2022, 5:59pm

I haven’t–this is super helpful. Thank you so much!

outlog · October 6, 2022, 6:59pm

also consider making this impossible in the application and/or DB layer - maybe some unique index or something…

tj0 · October 6, 2022, 7:51pm

+1 to @outlog . In general, client input should not be trusted.