Using and securing rabbitmq mqtt websocket and use it in browser

Question

We need some async workers for some 1-2 min tasks and then provide the user feedback from this tasks.

The idea would be to use the rabbitmq mqtt websocket plugin and provide the user feedback when the calculations done directly in the browser.

For our "old" stack we have some api endpoints as a layer between the user (browser) and rabbitmq services which more or less act as fire and forget.

As mentioned, we now need to provide feedback where we thought it would be create to user websockets (rabbitmq mqtt plugin).

But we are wondering how do we secure the exposed websocket endpoint for each user? Currently its not a problem as we have an amqps clients with X.509.

Our new features need has public access so we can not auth the user beforehand.

Is there a way to directly and securly use the exposed endpoint or do we need a layer in between as we have now?

Answer 1

The RabbitMQ Web MQTT plugin supports TLS. You can then use a username / password to authenticate the user, or use client certificates.

If you need public access then there is no way to secure the endpoint. This applies to all MQTT brokers, not just RabbitMQ.

Answer 2

If you use a plugable authentication source (sorry, not familiar with what RabbitMQ offers here) e.g. that stores user/password in a database. Then you can generate a short lived set of credentials for each session and the webpage can request these from the server via a REST API and then use these to authenticate the MQTT connection over WebSockets.

This means that credentials are only exposed as variables for a short time as temporary variables in the browser, which can be revoked easily as soon as the web session/actions are complete