search

taoensso / sente

Realtime web comms library for Clojure/Script
https://www.taoensso.com/sente
Eclipse Public License 1.0
1.74k stars 193 forks source link

Authentication and authorization #268

Closed coyotespike closed 7 years ago

coyotespike commented 8 years ago

I've read all the discussions in the issues about authorization and authentication. Here's my current understanding.

  1. To authenticate and authorize at a basic level, all we need is a way for the server to identify uniquely a client which has passed the login test.
  2. A crude form of authentication can be accomplished client-side alone by setting a logged-in flag. This is vulnerable to client-side manipulation and is not a true authentication procedure.
  3. Authentication can also be accomplished via the :uid tag by which Sente identifies a client to enable server-side pushing. After authentication, simply set the :uid tag.
  4. This simple method uses the :uid for two purposes, which is efficient. Thereafter Sente checks for the :uid anyway. However this method doesn't allow token timeout, and the Buddy library expects the token to live in :identity.
  5. It's not clearly to me whether the token associated with :identity or with :uid should be encrypted in some special way. If not we are essentially checking for the mere existence of the token, whatever it is.
  6. If we use the Buddy library's approach and use :identity then we also get the Buddy functions. As long as Sente passes the normal Ring session back and forth over the web sockets, then we can set and pass tokens on client and server sides in the normal Buddy way. It seems this is preferable to duplicating security functionality to work with Sente. And this is why Sente is or can be orthogonal to Buddy/Friend.

How does that sound, especially 5?

One more follow up question.

In #173 it's pointed out that we can use a params option when creating a channel socket. If I use that, should I be starting the router with the :params option, sending my authorization request, and then close the router?

I would then run (sente/start-chsk-router! ch-chsk event-msg-handler*) again for a specific future request, without the :params.

coyotespike commented 8 years ago

For easy reference, here are other issues addressing the topic.

173 -- On setting headers

234 -- User-Ids described and clarified

17 -- Logon/Logoff Example

172 -- Guidance for Closing an Unauthorized Connection

arichiardi commented 8 years ago

Oh nice, it would be great to add them to the README ;)

ptaoussanis commented 7 years ago

Have just setup a basic wiki where we can maybe start collecting together info like this from users?

Please feel free to move/add anything there that you think others might find handy. And that way no need to wait for me to merge, etc.

Cheers :-)

theronic commented 6 years ago

I read through all of the suggested docs and I still don't understand how I should handle authentication, what the lifecycle for uid/sessions are and during what event I should assign or check them. Do I need to wrap sente routes with wrap-session middleware?

Is there a full example somewhere? Would appreciate it.