Class: Phlex::Reactive::ActionsController

Inherits:

Object

• Object
• Phlex::Reactive::ActionsController

Defined in:

app/controllers/phlex/reactive/actions_controller.rb

Overview

The single endpoint behind every reactive component. The generic ‘reactive` Stimulus controller POSTs here with a signed identity token, an action name, and params. We verify the token, rebuild the component (re-finding the record from the DB for record-backed components), run the whitelisted action, and return an auto-targeted Turbo Stream the client morphs in.

Customizing in your app:

* Authentication — by default this inherits from
  Phlex::Reactive.base_controller (ActionController::Base). Set it to
  your ApplicationController to get current_user/Current/CSRF, but make
  sure the action path isn't force-redirected for logged-out users if
  you have public reactive components.
* Authorization — DO IT IN THE COMPONENT ACTION. The token proves the
  identity is ours, not that this user may act. Raise from the action
  (e.g. authorize!), and configure Phlex::Reactive.authorization_errors
  so it's rendered as 403 here.

Instance Method Summary

• #create ⇒ Object

Instance Method Details

#create ⇒ Object

# File 'app/controllers/phlex/reactive/actions_controller.rb', line 29

def create
  payload = verified_payload
  component_class = resolve_component(payload["c"])
  action_def = component_class.reactive_action(reactive_action_name)

  return head(:forbidden) unless action_def # default-deny

  component = component_class.from_identity(payload)
  coerced = coerce_params(action_def.params)

  run_action(component, action_def, coerced)

  render turbo_stream: component.to_stream_replace
rescue Phlex::Reactive::InvalidToken
  head :bad_request
rescue ActiveRecord::RecordNotFound
  head :not_found
rescue *authorization_errors
  head :forbidden
end