I would like to ask for suggestions/considerations about using a sort of access control layer with socket.io. I haven't found any information on this topic yet so I'm writing here. I'm wondering if there are correct patterns, if it's an anti-pattern or if my idea will do.
A little bit of context
I'm building an application which allows two different types of client to communicate to each other. The two types of client play two different role, let's say Role1 and Role2. Role1 and Role2 authenticate themselves on the server with a JWT, which they have obtained previously, sent in the auth option when they connect.
Role2's clients may represent anonymous clients. They can, with a special random code, retrieve from the server a special JWT which allow them to authenticate on the socket.io server.
Role2 must not play the Role1 part, so I need a way to control what a role2 client can do.
my idea
My current idea is to introduce an access control layer on events. Basically:
- the JWT contains a list of events the client is allowed to emit
- on server side there is a socket-level middleware which checks if the received event is allowed by the list contained in the JWT. If so the event is handled by the listener, otherwise it is discarded. I would like to know if my approach is valid or if there are better approach.
Thanks in advance! đ
Aucun commentaire:
Enregistrer un commentaire