Does LiveDashboard security require on_mount authentication in production?
nickurban opened this issue · comments
The LiveView security model recommends checking permissions using on_mount
[1], however the latest LiveDashboard README only shows checking at the plug
level [2].
Should on_mount be passed through to the underlying live_session?
Is that supported?
Thank you.
[1] https://github.com/phoenixframework/phoenix_live_view/blob/master/guides/server/security-model.md
[2] https://github.com/phoenixframework/phoenix_live_dashboard#extra-add-dashboard-access-on-all-environments-including-production
The way it works is that we use the plug authentication to generate a token and then we check if the token is valid inside the LiveDashboard. So we are validating the user is proper on both fronts. Without the initial http request, the user cannot join the dashboard, so the plug authentication is fine. But if someone has a fine grained need for on_mount, we will be glad to add it. Thanks!