0

OH, HI

I create chat app with server written with node.js and faye.

  1. clients subscribe /messages/new

  2. Messages going that way:

    client --[publish to /messages]--> server side client --[publish to /messages/new]--> all clients

But if I'm a Anonymus H4x0r I can edit client js file and make my client publish messages not on /messages, but on /messages/new. Messages will pass over the server side client and go directly to clients. I want messages to go via server side client, cause server do magic: validates token, saves message in redis database and logs

Question

How to disable specific channel for publish by clients?

Should I write custom engine? I didn't find any channels configuration in Faye server. Let me know, if you want to see some code, dunno what to show you.

Note

createServer = ->
    server = http.createServer()
    server.listen settings.serverPort

    bayeux = new faye.NodeAdapter        ##################################
        mount: '/faye'                   # This is "server side client"
        timeout: 45                      # lol
    bayeux.attach server                 ##################################
    fayeClient = bayeux.getClient()

    log "listening on port #{settings.serverPort}..."

    return [fayeClient, bayeux]

Edits

  • Edit: rename "server" to "server side client"
  • Edit2: add Note
voy
  • 1,568
  • 2
  • 17
  • 28
  • Bypassing the server would mean you have peer to peer connections, which you don't have. – Daniel W. Aug 18 '14 at 11:30
  • Yup, I didn't express myself clearly. Message bypass my _server_ - faye.nodeAdapter attached to http server, which is de facto server side client. I need to control _messages flow_ to block messages on specific channel from browser clients. – voy Aug 18 '14 at 11:49

2 Answers2

0

Damn, I'm dumb.

Every message goes through server extensions, after that is send to listeners (other clients).

  1. I added token for my server side client.
  2. Check token in incoming extension
  3. If token is incorrect, do not propagate message (don't run callback).

My code:

incoming: (message, callback) ->
    # validate, if message has been sent by server
    if message.channel == channels.newMessages  # /messages/new
        # I added token for server side client
        if message.data.token != settings.serverToken
            return  # if message token is incorrect, don't run callback

    callback(message)  # send message to all listeners
voy
  • 1,568
  • 2
  • 17
  • 28
0

This is actually wrong nowadays, as current documentation states:

You should always make sure your extension calls the callback, as failing to do so could block delivery of other messages in the same request.

To achieve rejection of message by server, you should add error property to it and pass it to callback

if (token !== msgToken)
  message.error = 'Invalid subscription auth token';

// Call the server back now we're done
callback(message);
Martin Řezník
  • 11
  • 2