From ee2ebeff3e175382225d7173dcc6813a236d0c49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20Ramho=CC=88j=20Holtryd?= Date: Tue, 22 Oct 2024 10:30:55 +0200 Subject: [PATCH] =?UTF-8?q?Allow=20the=20application=20to=20configure=20Tu?= =?UTF-8?q?rbo::StreamChannel=E2=80=99s=20inheritance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `ApplicationCable::Connection` allows the application to apply authentication to all streams method, including those from `Turbo::Broadcastable`. By allowing `Turbo::StreamsChannel` to inherit from `ApplicationCable::Channel` we open up a symmetrical path for authorization. In the spirit of being secure by default we should be moving towards making `Turbo.base_stream_channel_class` default to `"ApplicationCable::Channel"` but doing so without warning would break applications relying on `ApplicationCable::Connection#authorized?` for non-turbo broadcastable streams only. Once we deem it safe we can remove the awkward initialiser and hard code `ApplicationCable::Channel` as the super class. If people needs different super classes for `Turbo::StreamsChannel` and custom channels they can simply add another super class to inherit from in their application. To-dos: - [ ] Generate the initializer on rails new - [ ] Add a commented out method in the rails new / channel generator to encourage authorization. - [ ] Decide on a roll out plan for making inheriting from `ApplicationCable::Channel` the default. --- README.md | 59 ++++++++++++++++++++++++++- app/channels/turbo/streams_channel.rb | 58 +++++++++++++++----------- lib/turbo-rails.rb | 2 + lib/turbo/railtie.rb | 11 +++++ 4 files changed, 105 insertions(+), 25 deletions(-) create mode 100644 lib/turbo/railtie.rb diff --git a/README.md b/README.md index beeae82e..aa570ba4 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,63 @@ This gem provides a `turbo_stream_from` helper to create a turbo stream. <%# Rest of show here %> ``` +### Security + +#### Signed stream names + +Turbo stream names are always cryptographically signed, meaning that they can't be guessed or tampered with. + +#### Authentication + +While stream names are signed, they could still end up in the wrong hands. It's generally recommended to authenticate connections. You can do so in `ApplicationCable::Connection`: + +```rb +module ApplicationCable + class Connection < ActionCable::Connection::Base + identified_by :current_user + + def connect + self.current_user = find_verified_user + end + + private + def find_verified_user + if verified_session = Session.find_by(id: cookies.signed[:session_id]) + verified_session.user + else + reject_unauthorized_connection + end + end + end +end +``` + +#### Authorization + +In multi-tenancy apps it's often important to authorize your subscriptions: + +```rb +# config/application.rb + +config.turbo.base_stream_channel_class = "ApplicationCable::Channel" +``` + +You can now implement your domain authorization: + +```rb +# app/channels/application_cable/channel.rb + +module ApplicationCable + class Channel < ActionCable::Channel::Base + private + + def authorized? + current_user.can_access? streamable + end + end +end +``` + ### Testing Turbo Stream Broadcasts Receiving server-generated Turbo Broadcasts requires a connected Web Socket. @@ -182,7 +239,7 @@ import "@hotwired/turbo-rails" You can watch [the video introduction to Hotwire](https://hotwired.dev/#screencast), which focuses extensively on demonstrating Turbo in a Rails demo. Then you should familiarize yourself with [Turbo handbook](https://turbo.hotwired.dev/handbook/introduction) to understand Drive, Frames, and Streams in-depth. Finally, dive into the code documentation by starting with [`Turbo::FramesHelper`](https://github.com/hotwired/turbo-rails/blob/main/app/helpers/turbo/frames_helper.rb), [`Turbo::StreamsHelper`](https://github.com/hotwired/turbo-rails/blob/main/app/helpers/turbo/streams_helper.rb), [`Turbo::Streams::TagBuilder`](https://github.com/hotwired/turbo-rails/blob/main/app/models/turbo/streams/tag_builder.rb), and [`Turbo::Broadcastable`](https://github.com/hotwired/turbo-rails/blob/main/app/models/concerns/turbo/broadcastable.rb). -Note that in development, the default Action Cable adapter is the single-process `async` adapter. This means that turbo updates are only broadcast within that same process. So you can't start `bin/rails console` and trigger Turbo broadcasts and expect them to show up in a browser connected to a server running in a separate `bin/dev` or `bin/rails server` process. Instead, you should use the web-console when needing to manaually trigger Turbo broadcasts inside the same process. Add "console" to any action or "<%= console %>" in any view to make the web console appear. +Note that in development, the default Action Cable adapter is the single-process `async` adapter. This means that turbo updates are only broadcast within that same process. So you can't start `bin/rails console` and trigger Turbo broadcasts and expect them to show up in a browser connected to a server running in a separate `bin/dev` or `bin/rails server` process. Instead, you should use the web-console when needing to manaually trigger Turbo broadcasts inside the same process. Add "console" to any action or "<%= console %>" in any view to make the web console appear. ### RubyDoc Documentation diff --git a/app/channels/turbo/streams_channel.rb b/app/channels/turbo/streams_channel.rb index adb614b4..c661eed9 100644 --- a/app/channels/turbo/streams_channel.rb +++ b/app/channels/turbo/streams_channel.rb @@ -5,41 +5,51 @@ # using the view helper Turbo::StreamsHelper#turbo_stream_from(*streamables). # If the signed stream name cannot be verified, the subscription is rejected. # -# In case if custom behavior is desired, one can create their own channel and re-use some of the primitives from -# helper modules like Turbo::Streams::StreamName: +# It's important to understand that while stream names are signed, Turbo::StreamsChannel doesn't authenticate connections or +# authorize subscriptions. You can configure Turbo::StreamChannel to use e.g your ApplicationCable::Channel to +# implement authorization: # -# class CustomChannel < ActionCable::Channel::Base -# extend Turbo::Streams::Broadcasts, Turbo::Streams::StreamName -# include Turbo::Streams::StreamName::ClassMethods -# -# def subscribed -# if (stream_name = verified_stream_name_from_params).present? && -# subscription_allowed? -# stream_from stream_name -# else -# reject -# end -# end -# -# def subscription_allowed? -# # ... -# end +# # config/initializers/turbo.rb +# Rails.application.config.to_prepare do +# Turbo.base_stream_channel_class = "ApplicationCable::Channel" # end # -# This channel can be connected to a web page using :channel option in -# turbo_stream_from helper: -# -# <%= turbo_stream_from 'room', channel: CustomChannel %> +# You can also choose which channel to use via: +# <%= turbo_stream_from "room", channel: CustomChannel %> # -class Turbo::StreamsChannel < ActionCable::Channel::Base +# Note that any channel that listens to a Turbo::Broadcastable compatible stream name +# (e.g verified_stream_name_from_params) can also be subscribed to via Turbo::StreamsChannel. Meaning that you should +# never use the turbo_stream_from :channel option to implement authorization. +class Turbo::StreamsChannel < Turbo.base_stream_channel_class.constantize extend Turbo::Streams::Broadcasts, Turbo::Streams::StreamName include Turbo::Streams::StreamName::ClassMethods def subscribed - if stream_name = verified_stream_name_from_params + if subscription_allowed? stream_from stream_name else reject end end + + private + def subscription_allowed? + stream_name && authorized? + end + + def stream_name + @stream_name ||= verified_stream_name_from_params + end + + # Override this method to match your authorization rules in Turbo.base_stream_channel_class e.g: + # current_user.can_access? streamable. current_user should match your + # ApplicationCable::Connection identified_by. + def authorized? + defined?(super) ? super : true + end + + # Helpful for implementing domain specific authorization rules when overriding authorized?. + def streamable + @streamable ||= GlobalID::Locator.locate(stream_name) + end end diff --git a/lib/turbo-rails.rb b/lib/turbo-rails.rb index ee81e814..07b52fd8 100644 --- a/lib/turbo-rails.rb +++ b/lib/turbo-rails.rb @@ -1,10 +1,12 @@ require "turbo/engine" +require "turbo/railtie" require "active_support/core_ext/module/attribute_accessors_per_thread" module Turbo extend ActiveSupport::Autoload mattr_accessor :draw_routes, default: true + mattr_accessor :base_stream_channel_class, default: "ActionCable::Channel::Base" thread_mattr_accessor :current_request_id diff --git a/lib/turbo/railtie.rb b/lib/turbo/railtie.rb new file mode 100644 index 00000000..1cebe3cb --- /dev/null +++ b/lib/turbo/railtie.rb @@ -0,0 +1,11 @@ +module Turbo + class Railtie < ::Rails::Railtie + config.turbo = ActiveSupport::OrderedOptions.new + + initializer "turbo.configure" do |app| + if base_class = app.config.turbo&.base_stream_channel_class + Turbo.base_stream_channel_class = base_class + end + end + end +end