Validating channel clients


I am starting working on a server application is responsible for communicating with any number of clients via phoenix channels.

One important part of my applications is determining the status of a client. Currently I see the system functioning like the following:

  • Device is added to list of valid clients on server
  • Device status is displayed on server UI based on response from the “real” client when it is plugged into the Internet

The server will be expecting a status payload in a particular format that identifies the client, but I am not sure what method would be best to validate the clients. What would be the most secure way to identify that the status payload is being received from that client?

I am still planning out this application on paper, so I don’t have any code yet.

At a later date the server will be sending commands to the clients I would also like for the clients to be able to validate that the commands are being sent from my server and are not being spoofed by a different server.


1 Like

Did You look at Phoenix.Presence?

I think it can help with

determining the status of a client

1 Like

It sounds to me like you’ll need shared secrets.

  1. When a client connects for the first time, send a unique token back with the response. Any subsequent requests from the client must contain this token.

  2. For server validation, the server and the client could share a secret. The server can then use this secret to sign commands. (Maybe add a “signature” field to the command payload) How exactly you get the secret onto the client is up to you.

It’s also worth mentioning that you might not need server validation if you use WSS (Websocket secure, equivalent of HTTPS). A third party attacker will presumably not have access to your HTTPS certificate, and will not be able to sign requests impersonating your server.

1 Like

You can also look at using TLS client authentication. See [this] ( article, for example.

As @danielberkompas mentioned, “How exactly you get the secret onto the client is up to you.” In this case, that would be a private key issued to your client under your PKI.

Thanks all… I’ll look into these. I was thinking about writing a library to handle this, but sounds like Presence might do the trick.