fixup! Allow the application to configure Turbo::StreamChannel’s inhe…

…ritance `ApplicationCable::Connection` allows the application to apply authentication to all streams method, including those from `Turbo::Broadcastable`. By allowing `Turbo::StreamsChannel` to inherit from `ApplicationCable::Channel` we open up a symmetrical path for authorization. In the spirit of being secure by default we should be moving towards making `Turbo.base_stream_channel_class` default to `"ApplicationCable::Channel"` but doing so without warning would break applications relying on `ApplicationCable::Connection#authorized?` for non-turbo broadcastable streams only. Once we deem it safe we can remove the awkward initialiser and hard code `ApplicationCable::Channel` as the super class. If people needs different super classes for `Turbo::StreamsChannel` and custom channels they can simply add another super class to inherit from in their application. To-dos: - [ ] Generate the initializer on rails new - [ ] Add a commented out method in the rails new / channel generator to encourage authorization. - [ ] Decide on a roll out plan for making inheriting from `ApplicationCable::Channel` the default.
hotwired · Oct 22, 2024 · 4cf8a7a · 4cf8a7a
1 parent 7de73e2
commit 4cf8a7a
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -141,7 +141,7 @@ In multi-tenancy apps it's often important to authorize your subscriptions:
 config.turbo.base_stream_channel_class = "ApplicationCable::Channel"
 ```
 
-You can now implement your domain authorization:
+You can now implement your domain authorization which will be used by `Turbo::StreamsChannel` and any other Channel inheriting from `ApplicationCable::Channel`:
 
 ```rb
 # app/channels/application_cable/channel.rb

diff --git a/app/channels/turbo/streams_channel.rb b/app/channels/turbo/streams_channel.rb
@@ -6,16 +6,13 @@
 # If the signed stream name cannot be verified, the subscription is rejected.
 #
 # It's important to understand that while stream names are signed, <tt>Turbo::StreamsChannel</tt> doesn't authenticate connections or
-# authorize subscriptions. You can configure <tt>Turbo::StreamChannel</tt> to use e.g your <tt>ApplicationCable::Channel</tt> to
-# implement authorization:
+# authorize subscriptions. You can configure <tt>Turbo::StreamsChannel</tt> to use e.g your <tt>ApplicationCable::Channel</tt> to
+# implement authorization in your config/application.rb:
 #
-#   # config/initializers/turbo.rb
-#   Rails.application.config.to_prepare do
-#     Turbo.base_stream_channel_class = "ApplicationCable::Channel"
-#   end
+# config.turbo.base_stream_channel_class = "ApplicationCable::Channel"
 #
 # You can also choose which channel to use via:
-#   <%= turbo_stream_from "room", channel: CustomChannel %>
+# <%= turbo_stream_from "room", channel: CustomChannel %>
 #
 # Note that any channel that listens to a <tt>Turbo::Broadcastable</tt> compatible stream name
 # (e.g <tt>verified_stream_name_from_params</tt>) can also be subscribed to via <tt>Turbo::StreamsChannel</tt>. Meaning that you should

diff --git a/lib/turbo-rails.rb b/lib/turbo-rails.rb
@@ -1,5 +1,4 @@
 require "turbo/engine"
-require "turbo/railtie"
 require "active_support/core_ext/module/attribute_accessors_per_thread"
 
 module Turbo

diff --git a/lib/turbo/engine.rb b/lib/turbo/engine.rb
@@ -78,6 +78,12 @@ class Engine < Rails::Engine
       end
     end
 
+    initializer "turbo.configure" do |app|
+      if base_class = app.config.turbo&.base_stream_channel_class
+        Turbo.base_stream_channel_class = base_class
+      end
+    end
+
     initializer "turbo.helpers", before: :load_config_initializers do
       ActiveSupport.on_load(:action_controller_base) do
         include Turbo::Streams::TurboStreamsTagBuilder, Turbo::Frames::FrameRequest, Turbo::Native::Navigation

diff --git a/lib/turbo/railtie.rb b/lib/turbo/railtie.rb