search

GetStream / stream-js

JS / Browser Client - Build Activity Feeds & Streams with GetStream.io
https://getstream.io
BSD 3-Clause "New" or "Revised" License
329 stars 110 forks source link

Activities Feed Client - Should support invoke/invalidate user token #462

Open tronghm88 opened 3 years ago

tronghm88 commented 3 years ago

Hi there. I'm facing a problem, that is I want to invoke an user token to make it to be disable to call Stream API from clients. I search your documents and see Chat Client has invokeUserToken function but Activities Feed Client doesn't. My context is:

First, i generate an user token on server-side and make it can READ 2 feed groups: GROUP_1 and GROUP_2. Then send the token to client to let client connect Stream API directly. Then I generate new token and make it can feed only a group, group 1. So I need to generate new token, then it to client one more time. About old token, I want to force it to expire or block it by any way to let user can not user old token to access group 2. Please tell me how I can implement this logic?

Thanks for super great thing.

gz#13574

shodgetts commented 3 years ago

Agent comment from Zachery Converse in Zendesk ticket #13574:

Hello,

Thanks for reaching out to Stream! I'll look into this and get back to you.

Feel free to let us know if you have any additional information or questions.

Cheers, -Zachery Getstream.io

°°°

shodgetts commented 3 years ago

Agent comment from Zachery Converse in Zendesk ticket #13574:

Hi,

Tokens are unique to each user and not used to control permissions. Permissions are defined at a Feed Group level. invokeUserToken does not exist for the feeds product.

These docs are quite good at explaining these premises.

It is possible to add expiration logic to a token: Token Expiration/Refreshing - Feeds

This article is also quite useful: I'm receiving HTTP 403 Errors in my Feeds App

Feel free to let me know if you have any questions.

Cheers, -Zachery Getstream.io

°°°

tronghm88 commented 3 years ago

Thanks so much for your answer. But I'm still confuse.

  1. About this not used to control permissions. Permissions are defined at a Feed Group level. I read this document https://getstream.io/activity-feeds/docs/javascript/auth_and_permissions/?language=javascript and the Authentication section of the REST document https://getstream.io/docs_rest/

I understand that if we add Permission scopes to JWT tokens payload, we can control user permission if client use the tokens to call Stream API directly. Pardon me, but I haven't find a document about "Permissions are defined at a Feed Group level." Can you share me a link?

  1. Next, for example, at the first time my Backend generate an user token with the below permission scope { "resource": "*", "action": "read", "feed_id": "user1, user2" } at this moment, client all read feed of both user 1 and user 2, right? Because of our business, a day my Backend must deny above user that he can't read feed of user 2 anymore. So we must re-generate new token with below scope: { "resource": "*", "action": "read", "feed_id": "user1" } and send to client But somehow, we want the old token must be invalidated/revoked immediately, because it may take a day util the old token is expired.

Looking forward you reply. Thank you so so much.

tronghm88 commented 3 years ago

One more problem, if I use permission scope as above. Client can not use tokens with permission scope to get reaction of activities even if those activities are theirs.