CODEWITHSUNDEEP
deepstream.io
Vasiliy Sadokhin
Vasiliy Sadokhin

Reputation: 87

Restrict access to RPC endpoints

I wonder if deepstream provides ready-to-use solution to make endpoints private/public. If it doesn't I wonder how I can track proper deepstream calls on server side to allow only certain endpoints? I believe I need to provider permissionHandler that implements canPerformAction and check whether it's an RPC call required authorization and whether a caller authorized properly to do that. Is that right thinking? I'm looking at documentation and understand that I'm interested in topic P but I don't know what is a right action to check. https://deepstream.io/docs/constants.html

Thanks in advance!

Upvotes: 0

Views: 163

Answers (1)

wolframhempel
wolframhempel

Reputation: 1094

You're spot on with your approach. Here's a code sample on how to permission different users for different RPCs. In a real-world use-case you would most likely get the variables users and rpcs from a database.

So now whenever a client calls ds.rpc.make( 'set-user-data',... the server looks up which permission the rpc requires ('canEditUser') and if the user has that permission (mike: true, lisa: false)

var DeepstreamServer = require( 'deepstream.io' );
var server = new DeepstreamServer();
var C = server.constants;
var users = {
    'mike': { canEditUser: true },
    'lisa': { canEditUser: false }
};
var rpcs = {
    'set-user-data': 'canEditUser'
};

server.set( 'permissionHandler', {
    isValidUser: function( connectionData, authData, callback ) {
        if( !authData.username ) {
            callback( 'no username specified' );
        }
        else if( users[ authData.username ] ) {
            callback( null, authData.username );
        }
    },
    canPerformAction: function( username, message, callback ) {
        var isIncomingRpc = message.topic === C.TOPIC.RPC && message.action === C.ACTIONS.REQUEST;

        if( isIncomingRpc ) {
            var rpcName = message.data[ 0 ];

            if( rpcs[ rpcName ] === undefined ) {
                callback( 'Unknown RPC ' + rpcName );
                return;
            }

            var userPermissions = users[ username ];
            var requiredRpcPermissions = rpcs[ rpcName ];
            var isPermissioned = userPermissions[ requiredRpcPermissions ];

            callback( null, isPermissioned );

        }
    }
});

server.start();

Upvotes: 1

Related Questions