Hacker News new | ask | show | jobs
by pjm331 8 days ago
https://pragprog.com/titles/lhelph/functional-web-developmen...

don't let the title fool you - the first half of the book is just elixir

over the past 8 years this is the book i've used to ramp back up on elixir and it works like a charm every time - i've never finished it

for me, a mark of a good programming book in this tutorial-project style is that I have started it half a dozen times and never finished it because at some point before the end I've been equipped w/ the tools to go off and do my own thing
4 comments
mechanicum 8 days ago
FYI, that’s currently available in a Humble Bundle with 16 other PragProg functional programming books: https://www.humblebundle.com/books/ultimate-functional-progr...
link
roblh 8 days ago
Great find, grabbed that. Thanks!
link
sevenzero 8 days ago
Yea I've worked through Elixir in Action and appreciate all book recommendations. My issue is, tutorial style books rarely cover security related concerns.
link
felixgallo 8 days ago
what do you mean by 'security related concerns'?
link
sevenzero 8 days ago
How to properly build a liveview thats safe against hijacking the websocket phoenix uses for liveviews. You can just do it from the devtools on client side. With regular HTTP requests at least I know what to look out for, with liveview there are almost no resources on how to build a view securely. Like I was able to just call the functions in my module by just addressing them from my browsers console. Just to name an example.
link
NortySpock 5 days ago
As others have said, the server receives a function call request and decides what to do with it. Whether or not a user or session is currently authorized to perform the action they want is something you evaluate inside the function -- but you

E.g. https://github.com/beyond-all-reason/teiserver/blob/f6ff6d68... here, we are in a function call that handles requests to send a chat message into a game lobby. We updated the flood protection timestamps above, and then determine if the user has permission to send the message, and finally if they are speaking just as a client or via the Coordinator. Then we reply the updated state back to the websocket.

This is what I found beautiful about GenServers, by the way. It's a very explicit "starting state, consume from queue, and each message handling function returns the next system state", which makes it very clear that a state transition does not occur unless you reach the bottom of the event-handling function call, and at that point, it's an atomic state transition of the entire internal state.

In summary: don't trust the client. Independently determine, server-side, in the function itself, if the function call you just received is valid given the current state, not rate limited, etc, and then from there you can choose if you want to act on it.

Disclaimer: Elixir noob, but I have been using Teiserver to learn.

link
OkayPhysicist 8 days ago
[1] https://phoenix-live-view.hexdocs.pm/security-model.html

There's a guide in the LiveView docs that walks you through the security model. To be clear, you need to always assume that the user can send you anything. That's a fact of any networked system: Clients need to be assumed to be completely under the control of an evil user, because at the end of the day it is impossible to know whether you're talking to the client you wrote, or some evil program written by an adversary. Any function that acts as a handler for an event/message can be called by the user, at any time. You have to use session/socket state to handle authorization.

link
sevenzero 7 days ago
I am well aware of that, its much much easier to account for this with regular HTTP handlers in other stacks though. The issue here is that you can call random functions if you guess the signature correctly. Even authorized/authenticated users can and will missbehave if given the chance.
link
OkayPhysicist 7 days ago
To clarify, when you say "random functions", do you mean arbitrary event handlers like "handle_event("my_event")", despite the intended UI not presenting a way to call that event at the moment? Or do you mean any function in the LiveView module?

The latter doesn't seem to be the case, and if it is would be alarming. The former is absolutely the intended behavior. The client can send events to the server, that's how the whole thing works. If certain events shouldn't be available at certain times, you need to check that server side, and that's going to be true in any http handler.

link
Kaliboy 8 days ago
Honestly just build it using the tutorials and sound mind and you're like 80% there.

This may sound crazy but when any interpreter boots up, but I feel it especially with BEAM, that needs to be your "let there be Light" moment. That's your world, that state is yours and only your will decides what changes.

So yes you can call all functions in your module, that's indeed how it works. But that's your module and that function mutates your world.

Just like you filter what people tell you based on your knowledge, you do the same here.

Most of my methods start with guard clauses.

`return if condition_not_met`

Don't touch my state if I don't agree with what you want me to do.

In Ruby it's essential cause that's how we get RuntimeErrors all over the place. In Elixir it's way easier to do, with pattern matching. And easier since state is what enters the function and will be what leaves.

If you keep this in mind you should inherently write safe code, because in protecting your domain through guards you basically close the door for exploitation by unknown means.

I'll give you one example I just thought of. Where I work we run Rails since the time before time, and as such had a lot of technical debt.

Around Rails 5 or 6 what we call `ActionController::Parameters` had a breaking change. Basically this module processes parameters received from HTTP requests.

Beforehand it just wrapped all it got and handed it over to us. But now it expected us to tell it what to expect. And if didn't find what it expected it blew up with a bang!

Horrible for our hundreds of controllers with `controllers * 4` html templates where all the form keys were hidden.

We either had to add the conventiely available `permit!` call, or find the form keys for all the forms, and add `permit(:name, :address,...)`. A shitload of work before AI.

I ended up monkey patching Rails to generate the lists for us instead of crashing. And for the point of this entire story...

The defaults of most frameworks are very safe, but they require the most verbosity so the framework knows what to expect and to guard it. But there always exists easier and faster ways to the same goal, but it's generally a trade. You get ease, you sacrifice some security.

Don't get in that habit and you'll be fine. And spend a lot of time thinking what could go wrong and guard against them.

link
parthdesai 8 days ago
There's also the "bible": https://www.manning.com/books/elixir-in-action-third-edition
link
kajman 8 days ago
I've heard that Phoenix has changed a lot since that book was written. How relevant are those framework specific parts still?
link
arcanemachiner 8 days ago
As someone who learned Elixir during the Phoenix 1.7 release, let me tell you: If you downgrade to Phoenix 1.6 and learn from there, you should be fine.

The upgraded versions are mostly the same, but the differences in Phoenix 1.7 are enough to break the tutorials enough to confuse a newbie. Now, in the post-LLM age, that's not nearly as bad. But it was a real pain when I was learning.

link