SpoonWood
LiveView Websocket Security
Hello Everyone,
We are using LiveView to build a feature that displays some information in the admin dashboard of our Application, but we are not quite sure how to secure the websocket against access of non registered users.
Is the socket secure if we are using a signing salt and a Session key, having installed LiveView the exact Way thats recommended on Hexdocs.pm (we are using LiveView 0.8.1 currently)
Thank you very much in Advance
Most Liked Responses
chrismccord
Add your live route definition behind your regular :admin plug/pipeline that performs admin user authentication and you are all set. You can reference the user off the HTTP request, and fallback to the user_id in the session, which comes from a signed token on the client, so you are covered in both HTTP and WebSocket cases security wise:
# router
scope "/admin", ... do
pipe_through [:browser, :admin]
live "/", MyLive
end
# LV
defmodule MyLive do
def mount(params, %{"admin_user_id" => id}, socket) do
{:ok, assign_new(socket, :current_admin, fn -> Accounts.get_admin!(id) end)}
end
end
josevalim
Here are the changes to enable this feature on top mix phx.gen.auth: Set the live_socket_id on login and disconnect on logout · dashbitco/mix_phx_gen_auth_demo@1eebcae · GitHub
It is really straight-forward and it is per session (i.e. it doesn’t disconnect all sessions, only the current one).
josevalim
Every operation you do against the database needs to be verified for user permission, you need to check if the user belongs to that organization, if they are the manager of a project, if they can access that chat room, etc. This logic is generally kept in the context, tied to the domain operation, so you go through it regardless if you are interacting with your domain via live views or controllers. In code, this means you should do:
Org.get_org_by_user(user, org_id)
Instead of:
Org.get_org(org_id)
Failing to scope this on regular HTTP requests can also be very troublesome, as it means a user can access any other organization.
The scenario you describe is only a concern if you are “preloading” permissions and storing it somewhere, which is not different from putting it in a cache, or an agent, live view state, etc.
And for things like user access, LV supports disconnecting any enabled socket. I even plan to submit changes to mix phx.gen.auth so we perform this disconnection by default on logout.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #javascript
- #podcasts
- #code-sync
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








