How safe and idiomatic would be to use phoenix channels for unauthenticated users instead of ajax

powerbit Source

A little context and use case: I have this phoenix app that allows authenticated users to search in database, to retrieve public data. The unauthenticated users use ajax calls and routes to trigger controller and send back a json response to have the same result.

Is it ok to connect somehow unauthenticated users to the private channel maybe as guests or something so that I can ditch ajax calls? How do you solved this in your app?

I create my socket connection like this:

socket = new Socket('/socket', {params: {guardian_token: app.guardian_token}})

If it is possible, what should I be careful about?

Thanks

ajaxelixirphoenix-frameworkphoenix-channels

Answers

answered 3 months ago Justin Wood #1

There is no real reason you cannot do this.

If you need to return different data depending on if the user is authenticated or not, I would probably do one of

Create different channel names for authenticated and unauthenticated requests.

"authenticated:room:4" and "unauthenticated:room:4". You may also want to create an MyApp.Authenticated.RoomChannel module and a MyApp.Unauthenticated.RoomChannel. Though, this could get a little out of hand if you have a lot of channels.

Create different branches inside the handle_in/3 functions.

In your join function, put a marker on the socket stating whether the user is authenticated or not. Then, in your handle_in/3 functions you can do something like

def handle_in(msg, params, socket) do
  if socket.assigns.authenticated do
    authenticated_request(msg, params, socket)
  else
    unauthenticated_request(msg, params, socket)
  end
end

However, if there is no data difference between the authenticated and unauthenticated requests, there is no additional overhead. Just do the thing the user asked.

comments powered by Disqus