trying to understand the role of “params” in case of socket connections. Looked through the docs, the forum and Google, but still not quite clear on this yet.
In case of “regular” (i.e. non-websocket) http requests, params simply seem to be the request parameters supplied via URL or POST request, stored in “params” by Phoenix behind the scenes (at least initially).
AFAIK, the params are encoded into the query string, so they can’t be too large, since the URL length is sometimes suggested to be under 2048 characters (there might be limits by the browser? by the web server? both? not sure).
So the client connects to a URL like ws://example.com/socket/websocket?vsn=2.0&token=some_token_sent_from_client and the backend just decodes the query string and passes it into connect/3.
Does it also apply to the connections over TLS? I somewhat blindly believe that everything other than the host – example.com in my example above, – is encrypted over TLS.
But it probably makes sense to avoid putting passwords in there since it can (?) end up in the browser history if longpoll transport is used instead of websocket …
Long tokens will cause longer message to be sent to the server - you leak information which connections are authenticated
When you send token via JS you need to store that token in some place that is accessible for JS (for example Local Storage), which makes you susceptible to XSS side-channel attacks
So in general I would generate short-lived token (like 1m) that is fetched just before connecting and then it is sent to the browser as an authentication and isn’t stored anywhere. The token fetching happens over regular HTTP session with http-only cookie.
I agree here, although I have a word of caution about fetching before connecting. If all clients reconnect at once (or in a few seconds window), then you can end up sending a ton of requests to whatever provides your authentication service. For example, the equivalent of 1.2m rpm was being sent to our server when we did this, and it wasn’t specced for that.
One technique to avoid this is to always have a short lived token available. I use a 10 minute token that is fetched every 5-9 minutes to avoid thundering herd effect.