How to restrict access on Websockets? - websocket

I'm trying to figure out how Websockets works. I read some articles, tutorials, etc and I have a pretty basic understanding of how it works, but there is one element that I can't understand how to implement.
My idea is the following : One user will load a "customer" page containing all informations of that customer + a discussion thread. If an other user load that same page, they will be able to discuss in real time and if one user update the data of the customer, the second one will see the update.
The thing that is bugging me, is how can I allow users to access a customer data, but by checking that they can access it (for example, users can access the customer of their group, not all customers)
How can I be sure that the current user will access a customer he has the right (in the websocket)?
Thank you for your help!

Think of the websocket connection itself as a separate thing. A socket used by a client can subscribe to many different events.
What you're describing is topics. When the websocket connection is established, you send a message using whatever socket framework you're using to subscribe to a topic. For example, it could be a topic called customer-123. (A analogy for a topic, is a chat room)
Your application logic (server side) will verify that the currently logged in user has permission to access customer 123, and if so, permits them to join this topic. If you don't do this, it would be trivial for users to listen to any messages relating to any data.
Whenever a user updates any data that is relevant to customer 123, a message is posted to that topic. And thus, any user who is in that topic will receive the message.
An socket might subscribe to many many topics for each customer they open in your app. And topics can be combined and managed in groups depending on how you want to send messages.
In a typical large app, it's common to have a websocket subscribe to topics like user-123, team-456 by default so the server can send messages to them individually or to the entire team to which they are a member of.
For example, if a user updates customer-123, I might send a full data object to the customer-123 topic, and if customer 123 belongs to team-456, I would also send a small notification object like 'User 789 has updated customer 123' to the entire team (which is what powers Facebooks feed like system).
As your app grows, you'll use services like notification hubs to manage the fact that there could be thousands of topics each with thousands of subscribers.

The best thing to do is share a session ID and set up authentication token policies between your web application and your socket session. You could set up your own policy middleware to check the session ID.
You aren't really clear about how you're trying to accomplish this. If you're using express/socket.io, you can use this module: https://www.npmjs.com/package/express-socket.io-session
Hope this helps!

Like any other production application, you need authentication (who is allowed to use the app) and authorization (what functionality can a authenticated user perform). Authorization (ie, access control - ACL) is probably more precisely what you are looking for. Your app has to consult an authorization subsystem to see if the current user has access permission to edit/view another user's information.
This is not a trivial concern for many applications; security and privacy are important aspects of any web-based (distributed) application.

Related

Slack API - persistent message visible only to a set of users in a public channel

I'm planning to write a slack app, and I need to render messages depending on who read them.
I'm thinking something like: the App should have some options, and user's clients should render the messages depending on the options chosen by the user.
Is there a way to post a persistent message (I mean not an ephemeral message) which is shown only to a user (or a set of users)?
Or
Is it possible to post a message shown differently depending on the user who read it?
I don't need to send private or sensitive data, so if the solution to my problem is a message containing all the content for all the users in the channel, it is perfectly fine. It's just matter of user experience.
I have two constraints:
The user experience for those who don't use the App should not be impacted
I need the messages from the App to be rendered in reply to messages sent by the users, so solutions like "open a new channel" or "send direct messages" are not suitable for my needs.
Thank you all (but the Slack team which, in case let us doing that, it makes that not clear in the documentation :D )
This is not possible unless you create your own client to show/display the messages.
Custom slack apps usually augment to the existing functionality. How do you expect to override the functionality of Native Slack 'Desktop, Mobile & Web' Client.
I am happy to discuss this further, if you have some approach in mind.

Use Nchan to post to logged in users only

I am setting up an application with realtime events using nchan (https://github.com/slact/nchan). The application itself is built on the Laravel framework. However, for now everyone that subscripes to specific sub-channel will get new events as soon infomation is pushed to the corresponing pub-channel.
I want to limit that so only logged in users should be able to subscribe to events. Hence, if I am not logged in, it should not be possible to create a websocket and listen for events from for example http://www.example.com/chat/pubchat?id=some_id.
Is there any way to make this possible?
As far as I know, I cannot use Nginx/Nchan to make database queries to get only logged on users that way. And Laravel itself cannot limit subscribers since that is handled by Nginx/Nchan (but on the other side, can make database queries).
Thanks for any tips!
EDIT: Seems that I might can use the Drizzle module (https://github.com/openresty/drizzle-nginx-module) and use the session ID as identifier. So if that ID is not present in the session table the connection will be blocked.

Laravel implement user friends (chat) presence

I’m having some trouble understanding how to inplement presence channels in a real-time laravel application.
From what i’ve read in the documentation and a lot of other online resources about this, i only need to broadcast on a Presence channel and have clients listen on that particular channel. By the way, I'm using laravel 5.6 and on the front end I use Larvel Echo.
So, my problem is that channel name I need to broadcast to. If it’s something generic like “chat”, ALL the users in my application will broadcast to this channel and users who have no ideea who that user is (not a friend) receive this notification and they have to process this new information. Ofcourse I can choose not to update the UI or just do nothing if the user is not in their friends list but this just seems like a lot of useless procesaing of notifications on the client side. Doesn’t seem like a good ideea in my opinion.
Second option would be to broadcast presence to a unique channel name like “chat-[unique]” where “[unique]” would be something like the logged user’s id/hash but this just means that every client that loggs in the application has to listen for ALL friends notifications, so he has to connect to chat-5426, chat-9482, chat-4847 and so on, for all his friends. Again, this does not seem efficient. But that’s not all. The friends list is paginated so a user, after is logged in, only sees his first 20 friends (unless he scrolls down) and I have no limit on how many friend a user can have - I can implement a limit but still, it would be in the thousands so I don’t think I can get all the users from the DB in one query. I had the ideea of using this last method, to listen to each user's channel on the front end just as they are, paginated. Then, when scrolling and navigation arround, if a new user is visible in the viewport, add it to my friends object (no UI change) and start listening on his presence channel. I can see this method failing pretty easy though.
However I think about this, it always seems like online presence is verry resource consuming and almost not worth it for a small startup, I don't know. I have no ideea what a good way would be to implement it as I`ve never done it before. I would greatly appreciate any help with this because all online resources I've found on the subject implement the first method I asked about, all users connectiong to a generic channel but this always works in tutorials because they only have like 2-3 users in the DB and none mantion a user having friends. I can't see this working in the real world, but I may be wrong.
Thanks in advance

It's possible to list subscribers in autobahn.ws?

Currently I'm developing consoles in my webapp displaying user's running *nix application log (game servers) and I just want to make sure that one user can't access other user console by guessing topic name.
I'm using random generated string of 16 chars 0-9, A-Z, a-z, changing on every refresh of page, valid for 30min for each topic name.
Every user of webapp in crossbar config have access to subscribe any topic.
I wanted to set for each user to only subscribe to his/hers console topic but I think that dynamic config for crossbar is not yet implemented.
Is this implementation is enough for privacy of users or it's possible for subscriber to list other subscibers and my work with unique topic names is pointless?
It is indeed possible for subscribers to list other subscribers - via subscription meta-procedures.
Regarding your topic structure - you're doing something like
com.myapp.userlog.user34KUIK567878
com.myapp.userlog.userAHH78738J899
and want to prevent users from being able to subscribe to any channel but their own?
For this you can use a dynamic authorizer - see http://crossbar.io/docs/Authorization/
The dynamic authorizer is called on each subscription (& publish, call, register) request and can then accept or reject this request. It has access to the session data so that you can identify the user.

Approval link in email body

Need help in implementing email based approval system. Ex: Manager gets an auto triggered mail for his/her approval with a approval link in email body, when the manager clicks on the the link, it should validate the manager and then approve it. I tried searching on the internet but didn't find relevant resource.
Request you to Please help me with your ideas, suggestions or how I should proceed, or any plugin or jar is available??? It would be very helpful to me... Thanking you...
EDIT: Thanking you for replying. We have a java web app build using spring framework (MVC) where in employees can apply leaves which has to be approved by his/her manager. If an employee applies leave then a mail is triggered for approval to his/her manager with the leave details. After looking the mail, the manager logs-in to the application to approve or reject the leaves. So request you to Please help me in how to give a direct link in the mail to approve or reject the leaves.
For one of our applications we had the same requirements - employees can submit vacation requests and supervisors will be notified via mail. We have written an article about the exact way we did it - available here.
So in a nutshell, we are using Spring Integration and GMail. Each new vacation request yields an email send to all supervisors. Supervisors can reply with either approve or reject. We only accept email addresses from our domain, but since these can be faked we introduced a shared secret - a UUID added to the mail's subject which then relates to the id of the vacation request.
Once an email comes in we run the business logic to figure out whether a request shall be approved or rejected.
As I stated in my comment, I used Velocity to template my email message. You don't have to use it, but it made my job easier. You should be able to read up on it.
Java itself has the ability to send emails in it's Java EE framework using JavaMail, or you can use Spring's wrappers. You will need access to a mail server of some sorts, and would highly recommend that you setup an email box specifically for this process. I actually used my gmail account during testing, but I wouldn't recommend that for a long-term solution. I assume your company would have an email server setup somewhere you can use.
The process flow would be:
Employee fills out request
System generates an email to employee's manager(s) with a link to approve
Manager clicks on link, taken to approval page
Manager approves/denies request
The next question is how to build the URL. I would suggest using something like a UUID or something like that, or the request ID if that makes it easier. You can generate a UUID from any seed String or set of bytes. I like UUID because it obviscates the data being sent.
Anyway, the URL will basically point to a Spring form that will allow the user to approve that request. So, thinking about what you would need, I would expect some DB record that relates the information in the incoming request to the time off request that was filled out. Read in the record, load the page and display it. Simple enough.
The next issue is locking it down so only the authorized people can approve. Again, making a huge assumption here, but I am guessing you are using Spring Security? If you are, you should be able to add a condition to the Controller's handler for this approval form that requires the user to be authenticated (read here) and add a java.security.Principal to the handler methods arguments (read 15.3.2.3 here for what you can pass into a Controller's handler). With the Principal object in-hand, you should be able to compare that to a list of approvers associated with the request record in the DB. I would then have the system generate approval/denial emails that code to all concerned parties.
Let me reiterate that this is NOT the only solution, only one possible solution. This is why I feel this is not a good question for StackOverflow, as it asks a very broad question that doesn't really have a single right answer.

Resources