pavelsof
LiveView.Socket authentication for a LiveDashboard in production
Imagine we have a Phoenix application with live views and we want to enable the live dashboard in production. We put the live dashboard behind some admins-only authentication, e.g. using Plug.BasicAuth as suggested in the docs.
What would prevent a hypothetical attacker from accessing our live dashboard metrics directly via the Phoenix.LiveView.Socket? As far as my (admittedly not very deep) understanding goes, the plug would protect accessing the live dashboard routes, but (1) the live view socket would happily accept any connection, and (2) the live dashboard does not do auth checks on mount as suggested in the live view docs. Please help me understand!
Most Liked
benwilson512
I could be wrong, but I believe websockets are established by doing a GET and including an upgrade header. This GET is subject to the standard routing and authentication rules, so connecting “directly” isn’t really a thing.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









