More from Sarah Chen

RSS

Turbo Streams + authorization: signed per-user stream name

13958 views

0 comments

                  <%# users can only subscribe to streams signed for them %>
<%= turbo_stream_from current_member.signed_stream_name %>

                  class Notification < ApplicationRecord
  after_create_commit do
    broadcast_prepend_to(
      member.signed_stream_name,
      target: 'notifications',
      partial: 'notifications/notification',
      locals: { notification: self }
    )
  end
end

Never subscribe clients to guessable user-specific streams. Use signed_stream_name so a user can only subscribe to their own broadcasts. This is essential when streaming private notifications.

Sarah Chen

More from Sarah Chen

Turbo Streams + authorization: signed per-user stream name

0 Comments

More from Sarah Chen