I know this is a really basic question, but I am having trouble figuring out how to authorize channel join events.
The phx.gen.channeltemplate includes a private authorized?/1 function. If I want to find the user’s id to check their authorization role (I’m using phauxth), do I go about that by pattern matching the current_user from the payload argument? Or, can I check the socket directly for the current_user? If so, how? Just trying to check against socket.assigns.current_user but don’t know how…
# Add authorization logic here as required.
defp authorized?(_payload) do
true
end
which is called in:
def join("room:lobby", payload, socket) do
if authorized?(payload) do
{:ok, socket}
else
{:error, %{reason: "unauthorized"}}
end
end
def connect(%{"token" => token}, socket) do
with {:ok, user_id} <- verify_token(token),
user <- Accounting.get_user(user_id) do
{:ok, assign(socket, :current_user, user)}
else
{:error, _reason} ->
:error
end
end
I decode a token (a phoenix token), with this helper
def join("user:" <> id, _params, socket) do
if String.to_integer(id) === socket.assigns.current_user.id do
{:ok, socket}
else
{:error, %{reason: "Not authorized"}}
end
end
In your case, You might just check for socket.assigns.current_user
I do the authentication in user_socket to get the user id.
Now in room_channel, to authorize the user, would it be a good idea to set the argument of authorized?/1 as socket.assigns.current_user?
def join("room:" <> room_id, payload, socket) do
if authorized?(socket.assigns.current_user) do
{:ok, socket}
else
{:error, "nope not authorized"}
end
end
.
defp authorized?(useridpayload) do
useridpayload = String.to_integer(useridpayload)
... repo get user role pseudocode..
case role do
"admin" -> true
"user" -> true
_ -> false
end
end