Building Real-time Applications with Phoenix & Elixir/

...

Add Authorization to Channels

Learn how to add authorization to Channels.

We'll cover the following...

Types of channel authorizations
- Socket state-based authorization
Try it yourself

Socket authentication is not always enough to fully secure our applications. For example, we could have a Socket that stores the authenticated user ID in the Socket state and allows a connection. When a client attempts to join "user:1" Channel, but they are user ID 2, we should reject the Channel join request. The client should only have access to topics that are relevant to them. We can do that with Channel authorization.

Types of channel authorizations

When a client joins a Channel, the Channel’s join/3 function is invoked. We can add authorization to our Channel by making this function check for a valid token. There are two options for how to add Channel authorization:

Parameter-based: Parameters can optionally be sent when a Channel topic is joined. The client’s authentication token is sent via these parameters, and the Channel can authorize the topic using the data encoded into the token.
...

Getting Started with Phoenix

Powering Real-time Applications with Phoenix

First Steps with Phoenix Channels

Restrict Socket and Channel Access

Dive Deep into Phoenix Channels

Avoid Performance Pitfalls

Build a Real-time Sneaker Store

Break Your Application with Acceptance Tests

Build a Real-time Shopping Cart

Track Connected Carts with Presence

Deploy Our Application to Production

Manage Real-time Resources

Hands-on with Phoenix LiveView

Single-page Applications with React

Wrap Up!

Appendix

Add Authorization to Channels

Types of channel authorizations