We are using LiveView to build a feature that displays some information in the admin dashboard of our Application, but we are not quite sure how to secure the websocket against access of non registered users.
Is the socket secure if we are using a signing salt and a Session key, having installed LiveView the exact Way thats recommended on Hexdocs.pm (we are using LiveView 0.8.1 currently)
there should be lots of different approach. But one approach is using Phoenix.Token to sign some user session data. and then in Socket.connect/3 we can verify if the token is valid. because the token is signed, it helps us against of tampering but if you don’t want people able to see what’s inside the token, you can also use Phoenix.Token.encrypt
Add your live route definition behind your regular :admin plug/pipeline that performs admin user authentication and you are all set. You can reference the user off the HTTP request, and fallback to the user_id in the session, which comes from a signed token on the client, so you are covered in both HTTP and WebSocket cases security wise:
# router
scope "/admin", ... do
pipe_through [:browser, :admin]
live "/", MyLive
end
# LV
defmodule MyLive do
def mount(params, %{"admin_user_id" => id}, socket) do
{:ok, assign_new(socket, :current_admin, fn -> Accounts.get_admin!(id) end)}
end
end
I’m wondering if we’d need to talk about another factor of security for liveview:
A liveview process is long lived and potentially valid indefinitely if the connection is kept alive. For http one would check the validity of the user for each request, because it’s stateless. With stateful connections this can be more tiered, e.g. let the user read things for a certain time (or indefinitely) while e.g. checking validity for each writing operation. Even writing operations could be tiered to only creating data and destructive operations overwriting existing data. But I’m not really seeing those options used in the wild. Most people seem to fetch the user once and let it be valid for the lifetime of the liveview process. Isn’t this a potentially dangerous way of handling authentication?
Every operation you do against the database needs to be verified for user permission, you need to check if the user belongs to that organization, if they are the manager of a project, if they can access that chat room, etc. This logic is generally kept in the context, tied to the domain operation, so you go through it regardless if you are interacting with your domain via live views or controllers. In code, this means you should do:
Org.get_org_by_user(user, org_id)
Instead of:
Org.get_org(org_id)
Failing to scope this on regular HTTP requests can also be very troublesome, as it means a user can access any other organization.
The scenario you describe is only a concern if you are “preloading” permissions and storing it somewhere, which is not different from putting it in a cache, or an agent, live view state, etc.
And for things like user access, LV supports disconnecting any enabled socket. I even plan to submit changes to mix phx.gen.auth so we perform this disconnection by default on logout.
This is the part my question was targeted at - user sessions. If a session is compromised and the session key is removed from its storage on the server fresh http requests will fail to validate. For liveview existing connections either need to be closed if a certain session key is invalidated or at least have some means to over time detect that the session is no longer valid.
Edit:
I just looked at the example in detail: I’m not sure if a logout should close all connections scoped to the user. When I’m logging out of my desktop I won’t want to disconnect my laptop at the same time. For normal usage disconnecting by session key would seem like the way to go, possibly having a way to disconnect anything linked to a user account.
I am new to LV, therefore I may be misunderstanding something here, but to me this approach seems to let me run an enumeration attack by changing the id in the admin_user_id, thus letting me to get access to other admins?
You can also disconnect just one of the sessions. All you have to do is identify the connections per session token rather than user id. That’s what I am submitting to mix phx.gen.auth.
I’m using the LiveView and also approach phx.gen.auth.
The web execute login as usual, but how can we logout by using UserAuth.logout_user from LiveView (no @conn)? As there is the logout templates that are rendered underneath LiveView’s template.
Thank for your instant feedback, but the current logout link in template is: <%= link "Logout", to: Routes.user_session_path(@conn, :delete), method: :delete %>
Then could we put the @conn to session at the login (as the usual) and use @conn in Liveview (mount(_, session, socket)) to put assigns to render the Logout link?
Imagine that we stand somewhere in Liveview and need the precisely way to perform logout action.
You should be able to generate the url just fine with both a conn or a socket. It just can’t be a live_patch or phx-click action, but it must be a proper http call to the server to log the user out.
After read the docs about links , I’ve changed the template and now no need to pass @conn: <li><%= link "Logout", to: "/users/logout", method: :delete %></li>
But I still misunderstand why the default template _user_menu.html.eex in mix phx.gen.auth use @conn at: <%= link "Logout", to: Routes.user_session_path(@conn, :delete), method: :delete %>