In a Crossbar.io application, what's to stop a publisher from doing something like:
setInterval(function() { session.publish(topicUri, [randomStr]); }, 10);
My understanding is there is no way to identify a publisher that doesn't disclose itself. Identification could at least help in blocking abusive publishers. If a publication can't be stopped, is there a way to help subscribers block flooding attempts?
Crossbar also support RPC call. For chat will be better create RPC backend function like add_message() that will publishing messages from users. And set permissions for user(or anonymous)/backend like:
{
"name": "user",
"permissions": [
{
"uri": "*",
"subscribe": true,
"call": true
}
]
},
{
"name": "backend",
"permissions": [
{
"uri": "*",
"publish": true,
"subscribe": true,
"call": true,
"register": true
}
]
}
Now user can only subscribe and call RPC functions (publishing via backend) and you can analyze messages on backend for prevent any flood
