is set up to handle security by wrapping identifiers into the stream name, (and the framework I’m using - jumpstart pro - seems to be doing that in practice) - but I can’t see any documentation on how this is supposed to be configured/used - and can’t even figure out where/how it is happening…
I can’t see it being any different to html. To access a stream, you still have to hit a route, and a controller action. You can handle authorisation at that level. And then stream responses accordingly.
that sounds like logic needs to exist to whether to broadcast at all (ie. don’t broadcast to unauthorised users), or perhaps, whether to broadcast something different depending on whether users are authorised or not? in your case it sounds like the former.
I’m quite certain it is a known and common problem which people would have had to solve. but i’ve never had to to it personally (yet)…someone on this forum might be better able to help you?
I guess it is early days for this tech - but it does seem like this should be covered in the handbook…
# Used in the view to create a subscription to a stream identified by the <tt>streamables</tt> running over the
# <tt>Turbo::StreamsChannel</tt>. The stream name being generated is safe to embed in the HTML sent to a user without
# fear of tampering, as it is signed using <tt>Turbo.signed_stream_verifier</tt>. Example:
# # app/views/entries/index.html.erb
# <%= turbo_stream_from Current.account, :entries %>
# <div id="entries">New entries will be appended to this target</div>
# The example above will process all turbo streams sent to a stream name like <tt>account:5:entries</tt>
# (when Current.account.id = 5). Updates to this stream can be sent like
# <tt>entry.broadcast_append_to entry.account, :entries, target: "entries"</tt>.