Phoenix APIs, Channels, and Presence (Elixir/BEAM)

Phoenix excels at REST/JSON APIs and WebSocket Channels with minimal boilerplate, leveraging the BEAM for fault tolerance, lightweight processes, and supervised PubSub/Presence.

Core pillars

• Controllers for JSON APIs with plugs, pipelines, and versioning.
• Contexts own data (Ecto schemas + queries) and expose a narrow API to controllers/channels.
• Channels + PubSub for fan-out real-time updates; Presence for tracking users/devices.
• Auth via plugs (session/cookie for browser, token/Bearer for APIs), with signed params.

---

Project Setup

mix phx.new my_api --no-html --no-live
cd my_api
mix deps.get
mix ecto.create
mix phx.server

Key files:

• lib/my_api_web/endpoint.ex — plugs, sockets, instrumentation
• lib/my_api_web/router.ex — pipelines, scopes, versioning, sockets
• lib/my_api_web/controllers/* — REST/JSON controllers
• lib/my_api/* — contexts + Ecto schemas (ownership of data logic)
• lib/my_api_web/channels/* — Channel modules

---

Routing and Pipelines

Separate browser vs API pipelines; version APIs with scopes.

defmodule MyApiWeb.Router do
  use MyApiWeb, :router

  pipeline :api do
    plug :accepts, ["json"]
    plug :fetch_session
    plug :protect_from_forgery
    plug MyApiWeb.Plugs.RequireAuth
  end

  scope "/api", MyApiWeb do
    pipe_through :api

    scope "/v1", V1, as: :v1 do
      resources "/users", UserController, except: [:new, :edit]
      post "/sessions", SessionController, :create
    end
  end

  socket "/socket", MyApiWeb.UserSocket,
    websocket: [connect_info: [:peer_data, :x_headers]],
    longpoll: false
end

Tips

• Keep pipelines short; push auth/guards into plugs.
• Expose socket "/socket" for Channels; restrict transports as needed.

---

Controllers and Plugs

Controllers stay thin; contexts own the logic.

defmodule MyApiWeb.V1.UserController do
  use MyApiWeb, :controller
  alias MyApi.Accounts

  action_fallback MyApiWeb.FallbackController

  def index(conn, _params) do
    users = Accounts.list_users()
    render(conn, :index, users: users)
  end

  def create(conn, params) do
    with {:ok, user} <- Accounts.register_user(params) do
      conn
      |> put_status(:created)
      |> put_resp_header("location", ~p\"/api/v1/users/#{user.id}\")
      |> render(:show, user: user)
    end
  end
end

FallbackController centralizes error translation ({:error, :not_found} → 404 JSON).

Plugs

• RequireAuth verifies bearer/session tokens, sets current_user.
• Use plug :scrub_params-style transforms in pipelines, not controllers.
• Avoid heavy work in plugs; they run per-request.

---

Contexts and Data (Ecto)

Contexts expose only what controllers/channels need.

defmodule MyApi.Accounts do
  import Ecto.Query, warn: false
  alias MyApi.{Repo, Accounts.User}

  def list_users, do: Repo.all(User)
  def get_user!(id), do: Repo.get!(User, id)

  def register_user(attrs) do
    %User{}
    |> User.registration_changeset(attrs)
    |> Repo.insert()
  end
end

Guidelines

• Keep schema modules free of controller knowledge.
• Validate at the changeset; use Ecto.Multi for multi-step operations.
• Prefer pagination helpers (Scrivener, Flop) for large lists.

---

Channels, PubSub, and Presence

Channel module example:

defmodule MyApiWeb.RoomChannel do
  use Phoenix.Channel
  alias Phoenix.Presence

  def join("room:" <> room_id, _payload, socket) do
    send(self(), :after_join)
    {:ok, assign(socket, :room_id, room_id)}
  end

  def handle_info(:after_join, socket) do
    Presence.track(socket, socket.assigns.user_id, %{online_at: System.system_time(:second)})
    push(socket, "presence_state", Presence.list(socket))
    {:noreply, socket}
  end

  def handle_in("message:new", %{"body" => body}, socket) do
    broadcast!(socket, "message:new", %{user_id: socket.assigns.user_id, body: body})
    {:noreply, socket}
  end
end

PubSub from contexts

def create_order(attrs) do
  with {:ok, order} <- %Order{} |> Order.changeset(attrs) |> Repo.insert() do
    Phoenix.PubSub.broadcast(MyApi.PubSub, "orders", {:order_created, order})
    {:ok, order}
  end
end

Best practices

• Authorize in UserSocket.connect/3 before joining topics.
• Limit payload sizes; validate incoming events.
• Use topic partitioning for tenancy ("tenant:" <> tenant_id <> ":room:" <> room_id).

---

Authentication Patterns

• API tokens: Accept authorization: Bearer <token>; verify in plug, assign current_user.
• Signed params: Phoenix.Token.sign/verify for short-lived join params.
• Rate limiting: Use plugs + ETS/Cachex or reverse proxy (NGINX/Cloudflare).
• CORS: Configure in Endpoint with cors_plug.

---

Testing

Use generated helpers:

defmodule MyApiWeb.UserControllerTest do
  use MyApiWeb.ConnCase, async: true

  test "lists users", %{conn: conn} do
    conn = get(conn, ~p\"/api/v1/users\")
    assert json_response(conn, 200)["data"] == []
  end
end

Channel tests:

defmodule MyApiWeb.RoomChannelTest do
  use MyApiWeb.ChannelCase, async: true

  test "broadcasts messages" do
    {:ok, _, socket} = connect(MyApiWeb.UserSocket, %{"token" => "abc"})
    {:ok, _, socket} = subscribe_and_join(socket, "room:123", %{})
    ref = push(socket, "message:new", %{"body" => "hi"})
    assert_reply ref, :ok
    assert_broadcast "message:new", %{body: "hi"}
  end
end

DataCase: isolates DB per test; use fixtures/factories for setup.

---

Telemetry, Observability, and Ops

• :telemetry events from endpoint, controller, channel, and Ecto queries; export via OpentelemetryPhoenix and OpentelemetryEcto.
• Use Plug.Telemetry for request metrics; add logging metadata (request_id, user_id).
• Releases: MIX_ENV=prod mix release; configure runtime in config/runtime.exs.
• Clustering: libcluster + distributed PubSub for multi-node Presence.
• Assetless APIs: disable unused watchers (esbuild/tailwind) for API-only apps.

---

Common Pitfalls

• Controllers doing queries directly instead of delegating to contexts.
• Not authorizing in UserSocket.connect/3, leading to topic exposure.
• Missing action_fallback → inconsistent error shapes.
• Forgetting to limit event payloads; large messages can overwhelm channels.
• Leaving longpoll enabled when unused; disable to reduce surface area.

Phoenix API + Channels shine when contexts own data, controllers stay thin, and Channels use PubSub/Presence with strict authorization and telemetry. The BEAM handles concurrency and fault tolerance; focus on clear boundaries and real-time experiences.