is set up to handle security by wrapping identifiers into the stream name, (and the framework I’m using - jumpstart pro - seems to be doing that in practice) - but I can’t see any documentation on how this is supposed to be configured/used - and can’t even figure out where/how it is happening…
I can’t see it being any different to html. To access a stream, you still have to hit a route, and a controller action. You can handle authorisation at that level. And then stream responses accordingly.
that sounds like logic needs to exist to whether to broadcast at all (ie. don’t broadcast to unauthorised users), or perhaps, whether to broadcast something different depending on whether users are authorised or not? in your case it sounds like the former.
I’m quite certain it is a known and common problem which people would have had to solve. but i’ve never had to to it personally (yet)…someone on this forum might be better able to help you?
I think this recent commit brings back the ability to specify specific channels also - looks like presently they are all handled by “Turbo::StreamsChannel”
I guess it is early days for this tech - but it does seem like this should be covered in the handbook…
# Used in the view to create a subscription to a stream identified by the <tt>streamables</tt> running over the
# <tt>Turbo::StreamsChannel</tt>. The stream name being generated is safe to embed in the HTML sent to a user without
# fear of tampering, as it is signed using <tt>Turbo.signed_stream_verifier</tt>. Example:
#
# # app/views/entries/index.html.erb
# <%= turbo_stream_from Current.account, :entries %>
# <div id="entries">New entries will be appended to this target</div>
#
# The example above will process all turbo streams sent to a stream name like <tt>account:5:entries</tt>
# (when Current.account.id = 5). Updates to this stream can be sent like
# <tt>entry.broadcast_append_to entry.account, :entries, target: "entries"</tt>.
This is because the broadcastable module and stream_helpers are not a main part of turbo rather turbo is an independent javascript framework designed to be integrated within many different programming languages. This code right here is from the turbo-rails gem and It is the Rails integration with turbo they made to show how it could be integrated with a backend. That is why it is not mentioned in the handbook because it acts separately from turbo
Fair enough - I’ll plead guilty to ‘rails first’ thinking!
Having said that, I imagine a lot of users are coming from Rails - and I’m still surprised that there isn’t more documentation on this (even if within turbo-rails rather than the handbook)