search

sst / ion

SST v3
https://sst.dev
MIT License
1.54k stars 197 forks source link

Feature: Realtime auth improvements #899

Open ian-pascoe opened 3 weeks ago

ian-pascoe commented 3 weeks ago

After trying out realtime, authentication and identification of users that are sending messages is very hard to achieve with the current setup.

It would be awesome to be able to customize more of the authorizer response to include more context or change the principle ID (it's hardcoded to todays date).

Auth flow could then work like:

  1. Attempt to connect to IoT via authorizer
  2. Authorizer validates token and retrieves user from DB
  3. Authorizer creates a JWT containing Auth info.
  4. Authorizer returns JWT in response context along with the allowed topics.
  5. Client now can send the JWT in messages allowing identification
  6. Client can request decode the JWT to find out who sent a given message

Am I missing something that would make this easier? If so, a docs update would be just as appreciated. Thanks

jayair commented 3 weeks ago

@thdxr have a look at the PR as well?

thdxr commented 3 weeks ago

PR is good - merged

but for this - specifical problem can't you hit another endpoint for this info? aws iot doesn't really expect there to be a "request/response" type of exchange

ian-pascoe commented 3 weeks ago

@thdxr - After more and more attempts to get the realtime implementation working I can't find ANY good way to get it working securely...

You could send the userId in the messages via the client but anyone could just spoof a false userId. I saw some info online about using IoT device shadows but seems like additional setup of infrastructure would be required.

For now I'm considering going back to api gateway websockets for my use case since it allows you to provide user data through the lambda request context via a lambda authorizer.

Do y'all have any examples where the realtime message includes user data that can be used from another client?

Also the topic subscriber doesn't receive ANY data besides the raw message which makes it nearly impossible to persist data that is tied to a user.

ian-pascoe commented 3 weeks ago

This webpage shows how achieve a similar topic/room architecture using api gateway websockets (have to translate it to English but it's very helpful)

https://ss1.xrea.com/penguinitis.g1.xrea.com/computer/programming/AWS/API_Gateway_WebSocket.html

ian-pascoe commented 3 weeks ago

I also opened https://github.com/sst/ion/pull/908 to add custom lambda authorizers to ApiGatewayV2 and ApiGatewayWebSocket