SpoonWood

SpoonWood

LiveView Websocket Security

Hello Everyone,

We are using LiveView to build a feature that displays some information in the admin dashboard of our Application, but we are not quite sure how to secure the websocket against access of non registered users.

Is the socket secure if we are using a signing salt and a Session key, having installed LiveView the exact Way thats recommended on Hexdocs.pm (we are using LiveView 0.8.1 currently)

Thank you very much in Advance

Most Liked Responses

chrismccord

chrismccord

Creator of Phoenix

Add your live route definition behind your regular :admin plug/pipeline that performs admin user authentication and you are all set. You can reference the user off the HTTP request, and fallback to the user_id in the session, which comes from a signed token on the client, so you are covered in both HTTP and WebSocket cases security wise:

  
  # router
  scope "/admin", ... do
    pipe_through [:browser, :admin]
    
    live "/", MyLive
  end

  # LV
  defmodule MyLive do
    def mount(params, %{"admin_user_id" => id}, socket) do
      {:ok, assign_new(socket, :current_admin, fn -> Accounts.get_admin!(id) end)}
    end
  end
11
Post #3
josevalim

josevalim

Creator of Elixir

Here are the changes to enable this feature on top mix phx.gen.auth: Set the live_socket_id on login and disconnect on logout · dashbitco/mix_phx_gen_auth_demo@1eebcae · GitHub

It is really straight-forward and it is per session (i.e. it doesn’t disconnect all sessions, only the current one).

josevalim

josevalim

Creator of Elixir

Every operation you do against the database needs to be verified for user permission, you need to check if the user belongs to that organization, if they are the manager of a project, if they can access that chat room, etc. This logic is generally kept in the context, tied to the domain operation, so you go through it regardless if you are interacting with your domain via live views or controllers. In code, this means you should do:

Org.get_org_by_user(user, org_id)

Instead of:

Org.get_org(org_id)

Failing to scope this on regular HTTP requests can also be very troublesome, as it means a user can access any other organization.

The scenario you describe is only a concern if you are “preloading” permissions and storing it somewhere, which is not different from putting it in a cache, or an agent, live view state, etc.

And for things like user access, LV supports disconnecting any enabled socket. I even plan to submit changes to mix phx.gen.auth so we perform this disconnection by default on logout.

Where Next?

Popular in Questions Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
earth10
Hi, I’m just starting to build a side-project with Elixir and Phoenix and doing some basic test with Elixir alone. What strikes me is th...
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
chensan
I have a User schema with a :from_id field set to type :string: defmodule TweetBot.Repo.Migrations.CreateUsers do use Ecto.Migration ...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New

Other popular topics Top

Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New

We're in Beta

About us Mission Statement