-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Turbo signed-stream-name never expires #85
Comments
I think as a first step you can add authentication on the ActionCable level, this will prevent the user from connecting and subscribing to any channel without a valid session. Example: https://github.com/hotwired/turbo-rails/blob/main/app/channels/turbo/streams_channel.rb#L11 |
Turbo's signed stream names provided by
turbo_stream_from
never expire: hotwired/turbo-rails#61Example of how this could be a problem
@team
of users:<turbo-cable-stream-source signed-stream-name=...>
tag in their browser.@team
.Potential mitigations?
:channel
option forturbo_stream_from
and the docs forTurbo::StreamsChannel
: https://github.com/hotwired/turbo-rails/blob/main/app/channels/turbo/streams_channel.rb . Is this sufficient? How often are any customTurbo::StreamsChannel
authorization checks invoked - on every message??Turbo.signed_stream_verifier_key
?The text was updated successfully, but these errors were encountered: