Reputation: 56
It's possible to list subscribers in autobahn.ws?
Currently I'm developing consoles in my webapp displaying user's running *nix application log (game servers) and I just want to make sure that one user can't access other user console by guessing topic name.
I'm using random generated string of 16 chars 0-9, A-Z, a-z, changing on every refresh of page, valid for 30min for each topic name.
Every user of webapp in crossbar config have access to subscribe any topic. I wanted to set for each user to only subscribe to his/hers console topic but I think that dynamic config for crossbar is not yet implemented.
Is this implementation is enough for privacy of users or it's possible for subscriber to list other subscibers and my work with unique topic names is pointless?
Upvotes: 0
Views: 217
Answers (1)
Reputation: 2445
It is indeed possible for subscribers to list other subscribers - via subscription meta-procedures.
Regarding your topic structure - you're doing something like
com.myapp.userlog.user34KUIK567878com.myapp.userlog.userAHH78738J899
and want to prevent users from being able to subscribe to any channel but their own?
For this you can use a dynamic authorizer - see http://crossbar.io/docs/Authorization/
The dynamic authorizer is called on each subscription (& publish, call, register) request and can then accept or reject this request. It has access to the session data so that you can identify the user.
Upvotes: 1
Related Questions
- Autobahn-JS doesn't receive subscription for publish on same page (sample)
- Integrate Autobahn|Python with aiohttp
- How to use autobahn.ws with django?
- How can I get list of subscribed clients in autobahn.ws?
- Is it possible to have a Autobahn WebSocket Client Register for RPC calls?
- Autobahn websocket
- Autobahn PHP client
- Autobahn.js - How to pass data on subscribe
- Can't get AutoBahn Websocket to Connect
- Python Autobahn websocket