How safe and idiomatic would be to use phoenix channels for unauthenticated users instead of ajax

powerbit Source

A little context and use case: I have this phoenix app that allows authenticated users to search in database, to retrieve public data. The unauthenticated users use ajax calls and routes to trigger controller and send back a json response to have the same result.

Is it ok to connect somehow unauthenticated users to the private channel maybe as guests or something so that I can ditch ajax calls? How do you solved this in your app?

I create my socket connection like this:

socket = new Socket('/socket', {params: {guardian_token: app.guardian_token}})

If it is possible, what should I be careful about?




answered 3 months ago Justin Wood #1

There is no real reason you cannot do this.

If you need to return different data depending on if the user is authenticated or not, I would probably do one of

Create different channel names for authenticated and unauthenticated requests.

"authenticated:room:4" and "unauthenticated:room:4". You may also want to create an MyApp.Authenticated.RoomChannel module and a MyApp.Unauthenticated.RoomChannel. Though, this could get a little out of hand if you have a lot of channels.

Create different branches inside the handle_in/3 functions.

In your join function, put a marker on the socket stating whether the user is authenticated or not. Then, in your handle_in/3 functions you can do something like

def handle_in(msg, params, socket) do
  if socket.assigns.authenticated do
    authenticated_request(msg, params, socket)
    unauthenticated_request(msg, params, socket)

However, if there is no data difference between the authenticated and unauthenticated requests, there is no additional overhead. Just do the thing the user asked.

comments powered by Disqus