Open khelf opened 1 year ago
I've opened an issue about pretty much the same thing two days before you ;)
https://github.com/socketio/socket.io/issues/4709
I was entertaining the idea to have a middleware at the very place where the individual clients are sent their packet. I didn't find any listeners that would do that on a per-client-basis.
Hello,
Yes I noticed before creating this one, I am not sure if we are looking for the same thing, I think you are looking for a way to prevent sending sensitive data based on their permissions "per-socket basis" where in my case it was per permissions (that can change in real-time).
So in my case permissions can change after the socket is created, I am not sure if I got what you are looking for exactly but it could be solved via rooms
, where in my case I have to change the socket room if permissions changes.
From how I can see it, they look similar, but my problem is more general, and yours is a case when nothing changes. why does it matter? because the express middleware runs only once and can be used to do this kind of checking and register the user to only the events where they are authorized to see.
We faced something like what you are trying to solve, we used namespaces, and after finding out what kind of user is connected, we disconnect it and connect it to a namespace where he will see only what he is supposed to see.
I think there should be a way to solve both cases, and I am not sure if it is just a duplication of your case, please let me know if you are still thinking it is the same and why.
Okay, I see. I thought our problems were more alike because I assumed your permissions would eventually have to come from a user, which means a socket. So I thought if you emitted an event to a room with multiple users, you had the same problem I have, to filter or modify the event or data for each user (aka socket).
Hi! You can use socket.use()
to filter incoming packets:
io.on("connection", (socket) => {
socket.use(([event, ...args], next) => {
if (isAuthorized(event, socket.data)) {
next();
} else {
// do something, maybe close the connection
}
});
});
Reference: https://socket.io/docs/v4/server-api/#socketusefn
Do you need something like this for outgoing packets too?
Thank you, that's what I was looking for. "Do you need something like this for outgoing packets too?" for now, no, but I think if would be helpful to leave a comment if someone need that in the future. Best regards.
Hi, I might need something for outgoing packets actually, is there any way to block clients to join a room or receive messages?
In our case we were able to prevent users from connecting if the JWT is not valid, and also to send messages to specific rooms if they don't have permissions, but couldn't find a way to prevent them to listen.
Eg if I emit("/types/123/status") only users allowed for 123 should be able to receive it
Suppose we have many clients connected, but each one has a set of permissions, how can we block/allow the execution of of all connected listeners without adding the code to check authorizations in each event handler. something that maybe close to what I am talking about is
prependAnyOutgoing
. I think something like an express middle ware would be very useful in lot of situations, it should provide the option to intercept all events and can block other listener or update data before it get sent to an event handler.notifyOutgoingListeners
is making a copy of all_anyOutgoingListeners
before calling them one by one and it is using an iterator, so it is not wise or possible to override the connected events and set them again to theeventName
via asetTimeout
for example.The only way to do what I am looking for was to override the
socket.on
function before setting any event handler.Without this we would have to write in each event handler
The motivation behind doing the first way is that the possibility to manage all authorizations from single location to make the code more manageable and avoid duplication.
I would love to see this functionality implemented but I am not sure how it should look but I know for sure that it would be very useful in a lot of use cases.