Turbo Stream Security

ConfusedVorlon · October 27, 2021, 9:10am

I’m a bit surprised not to have found standard documentation on this. If I have missed it, please point me in the right direction.

I’m just starting with turbo streams. I have followed the goRails tutorial here:

This lets everyone subscribe and get tweet updates.

My question is what happens when you’re dealing with a resource that is owned by a user.

How do you ensure that updates only go to users who have authorisation for a given resource.

Previously when I used websockets, there was a whole authentication dance. Is that handled for me with the signed stream identifiers?

It looks like

#https://github.com/hotwired/turbo-rails/blob/main/app/helpers/turbo/streams_helper.rb
turbo_stream_from

is set up to handle security by wrapping identifiers into the stream name, (and the framework I’m using - jumpstart pro - seems to be doing that in practice) - but I can’t see any documentation on how this is supposed to be configured/used - and can’t even figure out where/how it is happening…

thanks in advance…

BKSpurgeon · October 27, 2021, 11:30am

I can’t see it being any different to html. To access a stream, you still have to hit a route, and a controller action. You can handle authorisation at that level. And then stream responses accordingly.

ConfusedVorlon · October 27, 2021, 12:53pm

I may just be fundamentally misunderstanding things here. I’m thinking about broadcasts from model updates.

	after_create_commit {broadcast_prepend_to "apps"}
	after_update_commit {broadcast_replace_to "apps"}
	after_destroy_commit {broadcast_remove_to "apps"}

that’s the code in the GoRails demo. Taking that unchanged;

If user1 creates an item, then that item is broadcast to user2, so user2 sees the resource which they’re not supposed to.

Clearly that is the intent in the demo - but it isn’t suitable in my case.

I tried broadcasting to apps_#{account_id} and using

    = turbo_stream_from "apps_#{current_account.id}"
    = turbo_frame_tag "apps_#{current_account.id}" do

but
a) that doesn’t work (I’m not sure why)
b) I don’t understand the setup sufficiently to know whether that is safe/sufficient

BKSpurgeon · October 28, 2021, 12:39am

that sounds like logic needs to exist to whether to broadcast at all (ie. don’t broadcast to unauthorised users), or perhaps, whether to broadcast something different depending on whether users are authorised or not? in your case it sounds like the former.

I’m quite certain it is a known and common problem which people would have had to solve. but i’ve never had to to it personally (yet)…someone on this forum might be better able to help you?

defsdoor · October 28, 2021, 1:30pm

You can pass an active model to turbo_stream_from - rails will generate a unique id for the individual record (ultimately it calls to_gid_param)

= turbo_stream_from @customer

Just using the id doesn’t stop someone from manually subscribing to any id they see fit.

You can authorise connections to a stream as per - ActionCable - Part 3 - Securing Your WebSockets | Drifting Ruby

Action cable is still there

defsdoor · October 28, 2021, 1:49pm

I think this recent commit brings back the ability to specify specific channels also - looks like presently they are all handled by “Turbo::StreamsChannel”

github.com/hotwired/turbo-rails

Problem: inability to customize behavior of a channel (#264)

committed 04:13PM - 26 Oct 21 UTC

yrashk

+58 -3

* Problem: inability to customize behavior of a channel When communicating wi…th turbo streams, `Turbo::StreamsChannel` will only validate signed stream name. No further customization is currently possible. This hinders the capabilities of Turbo Frames as it may not serve all edge cases an application requires. For example, when subscribing to a channel that is being infrequently broadcasted to, it is impossible to transmit last broadcasted value. Solution: allow to specify the channel in `turbo_stream_from` This gives us an opportunity to establish custom behavior by overriding some of the callbacks (`subscribed`, `unsubscribed`, etc.) while retaining full backward compatibility. In order to make development of such channels just a bit easier, I've extracted `verified_stream_name_from_params` into `Turbo::Streams::StreamName`. * Style * Style * Update streams_helper_test.rb * Problem: system test case failure Solution: `verified_stream_name_from_params` should be an instance method and not a class method. Co-authored-by: David Heinemeier Hansson <david@basecamp.com>

ConfusedVorlon · October 29, 2021, 9:25am

looks like the documentation is here in the code:

github.com

hotwired/turbo-rails/blob/main/app/helpers/turbo/streams_helper.rb

module Turbo::StreamsHelper
  # Returns a new <tt>Turbo::Streams::TagBuilder</tt> object that accepts stream actions and renders them as
  # the template tags needed to send across the wire. This object is automatically yielded to turbo_stream.erb templates.
  #
  # When responding to HTTP requests, controllers can declare `turbo_stream` format response templates in that same
  # style as `html` and `json` response formats. For example, consider a `MessagesController` that responds to both
  # `text/html` and `text/vnd.turbo-stream.html` requests along with a `.turbo_stream.erb` action template:
  #
  #   def create
  #     @message = Message.create!(params.require(:message).permit(:content))
  #     respond_to do |format|
  #       format.turbo_stream
  #       format.html { redirect_to messages_url }
  #     end
  #   end
  #
  #   <%# app/views/messages/create.turbo_stream.erb %>
  #   <%= turbo_stream.append "messages", @message %>
  #
  #   <%= turbo_stream.replace "new_message" do %>

This file has been truncated. show original

I guess it is early days for this tech - but it does seem like this should be covered in the handbook…

  # Used in the view to create a subscription to a stream identified by the <tt>streamables</tt> running over the
  # <tt>Turbo::StreamsChannel</tt>. The stream name being generated is safe to embed in the HTML sent to a user without
  # fear of tampering, as it is signed using <tt>Turbo.signed_stream_verifier</tt>. Example:
  #
  #   # app/views/entries/index.html.erb
  #   <%= turbo_stream_from Current.account, :entries %>
  #   <div id="entries">New entries will be appended to this target</div>
  #
  # The example above will process all turbo streams sent to a stream name like <tt>account:5:entries</tt>
  # (when Current.account.id = 5). Updates to this stream can be sent like
  # <tt>entry.broadcast_append_to entry.account, :entries, target: "entries"</tt>.

yunggindigo · October 29, 2021, 11:01am

This is because the broadcastable module and stream_helpers are not a main part of turbo rather turbo is an independent javascript framework designed to be integrated within many different programming languages. This code right here is from the turbo-rails gem and It is the Rails integration with turbo they made to show how it could be integrated with a backend. That is why it is not mentioned in the handbook because it acts separately from turbo

yunggindigo · October 29, 2021, 11:04am

It is mentioned right here in the handbook that it is a reference implementation not a main part of hotwire Turbo Handbook

ConfusedVorlon · October 29, 2021, 3:10pm

Fair enough - I’ll plead guilty to ‘rails first’ thinking!

Having said that, I imagine a lot of users are coming from Rails - and I’m still surprised that there isn’t more documentation on this (even if within turbo-rails rather than the handbook)

Perhaps I’ll post an article

yunggindigo · October 29, 2021, 10:51pm

Yea I know what you mean I was pretty confused about this part as well that could be really helpful!

Topic		Replies	Views
Authentication and Devise with broadcasts	30	14275	May 15, 2024
Proposal: Frame reloads through Streams	7	2316	February 18, 2021
I'm about to give up on Turbo	4	4488	May 6, 2021
Authentication in partial rendered by broadcast later	3	698	February 22, 2022
Turbo Streams - Web Sockets vs Controller Responses in Rails	1	879	November 26, 2021

Turbo Stream Security

Related topics