Turbo signed-stream-name never expires

[eliotsykes]

Turbo's signed stream names provided by turbo_stream_from never expire: https://github.com/hotwired/turbo-rails/issues/61

Example of how this could be a problem

• Turbo stream is generated for a @team of users:

  <%= turbo_stream_from @team %>

• A team member saves the generated signed-stream-name, or keeps a page open containing the generated <turbo-cable-stream-source signed-stream-name=...> tag in their browser.
• This team member is removed from the @team.
• The removed team member can still receive data from the turbo stream as they have the signed-stream-name.

Potential mitigations?

• Use a custom channel class that performs authorization checks. See the :channel option for turbo_stream_from and the docs for Turbo::StreamsChannel: https://github.com/hotwired/turbo-rails/blob/main/app/channels/turbo/streams_channel.rb . Is this sufficient? How often are any custom Turbo::StreamsChannel authorization checks invoked - on every message??
• Frequently rotate the secret used for Turbo.signed_stream_verifier_key?

[lu-x]

This team member is removed from the @team. The removed team member can still receive data from the turbo stream as they have the signed-stream-name.

I think as a first step you can add authentication on the ActionCable level, this will prevent the user from connecting and subscribing to any channel without a valid session.
If the user has a valid session (for example with a new account) i guess authorization has to take place during the subscription to the specific channel.

Example: https://github.com/hotwired/turbo-rails/blob/main/app/channels/turbo/streams_channel.rb#L11 However, i'm not sure what's a good way to authorise the user, maybe it's possible to include a user id in the stream name and then compare it to the user id retrieved from the session (?).