search

wandenberg / nginx-push-stream-module

A pure stream http push technology for your Nginx setup. Comet made easy and really scalable.
Other
2.22k stars 295 forks source link

Long pooling url security #142

Closed pokal4u closed 10 years ago

pokal4u commented 10 years ago

Hi,

When i run long pooling url in browser getting mychannel(1234) json response . In case i changed channel name (4321). then getting 4321 channel reponse In this case i am able to see other users messages. How can i prevent this? Ex: http://www.domain.com/lp/1234?&tag=&time=&eventid=&_=1401267378786--->{1234 reponse} http://www.domain.com/lp/4321?&tag=&time=&eventid=&_=1401267378786--->{4321 reponse}

Code: var pushstream = new PushStream({ host: "<?php echo $domain; ?>", port: window.location.port, modes: "longpolling", secondsAgo:3600
}); try {
pushstream.addChannel(userid);
pushstream.connect(); } catch(e) {};

Thanks

wandenberg commented 10 years ago

All authorization / authentication should be done outside the module. Check this topic if it helps you https://groups.google.com/forum/#!topic/nginxpushstream/OTvPwoqK1no

pokal4u commented 10 years ago

HI, Could you provide sample examples?

Thanks

wandenberg commented 10 years ago

Hi @pokal4u, Sorry, I don't have practical examples ready. I've sent a suggestion to a similar topic today. Take a look on https://groups.google.com/forum/#!topic/nginxpushstream/rEPdXl3vNpA

paulosouzainfo commented 7 years ago

You apply this security in every route you want using adding --with-http_auth_request_module in this way...

./configure --with-http_auth_request_module --with-... (another configurations)

In your config file, you adding a new route pointed to your application, like a API to returns a users authenticated or a hash you want to protected this routes like this example below.

location = /auth { proxy_pass https://your-domain/your-app-route/this-user-logged; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; }

In this module, inside your routes, just adding a new line to autenticated requests in this module, like this example below to publishers.

location /pub { auth_request /auth; push_stream_publisher admin; push_stream_channels_path $arg_id; push_stream_channel_info_on_publish on; }

In this way, only authenticated users in your application can publishing in your route if the action in proxy_pass directive having a return status 200.

Other returns if don't equal a 200, the server generate an error 500 and can't publishing a messages.

That's it!