Security concerns ?

[pyladune]

This is a outstanding idea/project. How do you handle security ? Can we/should we mix this with a token by each call to the server ?

[vic]

Currently when you render a page generated by a controller that supports Drab, a new phoenix token is generated so the javascript must use it to connect via phoenix socket. And this token is generated per "Controller#action" and It's automatically done for you so you have nothing to do manually. That's as far as I can tell from what I've read on the source :)

[grych]

Currently (0.1.1) there is no security implemented while handling request from client.

@vic - this token is used to communicate between server and browser (I will not call it client anymore, because in this case browser is the server!), when you launch, for ex Drab.Quey.select function. Because the idea is to wait for a reply from the browser, on the server side new process is spawn and its PID is tokenized and sent to the browser. When browser replies, it attached the token, so Drab knows which process to send reply. But the other way (launching event handlers) nothing is protected so far.

About the security and related stuff I've been thinking about keeping the token, but not only for security reasons. I'd like to implement some kind of server-side session store. It could be kept in such token. But the other hand, I don't like the idea of creating another session store, while Phoenix implements one. The best would be to give an access to Phoenix session to handler in Commander. I have no idea yet how to do it :) especially when you want to modify.

[vic]

Hey @grych thanks for the update, I'd like to see how things get settled down on 0.2.0. Would really like to take further my react-native prototype, and if you like the idea of having drab plugins as you mentioned on the elixirforum thread, I'd like to help with some PR. But given that drab is still in flux, dont know if it would be better to wait a little more, anyways, feel free to ping me back if you feel like we can start making drab a bit generic non-jquery.

Have a good day!

[grych]

Hi @vic, it is in development now :) I will keep you guys updated.

[grych]

@vic - now there is a possibility to use only essentials (I call it Core). Check https://tg.pl/drab/nojquery. More info on Elixir Forum, here I put it for others.

[grych]

@pyladune The existing security model is:

• Drab generates the token (which is also used to store controller and action name) and injects it with the client JS code
• Drab Client (JS on the browser side) connects with the websockets, passing this token to the server
• Drab Server decrypts the token to get the controller and action name (to route the event to the right Commander); in case the token is wrong, it will just fail and client will not be able to connect

Because the rest of the communication is going over the websockets, I think there is no need to send the token on every function call. What is your opinion?

[grych]

Fixed in 0.2.1. Drab generates additional token to store the session. This token is passed on each event handler call and checked before launching the event handler function.