1

Is there any way to get metadata about who (authid) published a given message or called an RPC? After I have users authenticate and authorize them for a given role (e.g. allowing them to publish to mychat) how can I prevent clients from spoofing each other's names? Subscribers/callees are just passed the arguments that the pub/caller passed; I don't see how to get session data.

A workaround might be to use dynamic authorization, where each client is only authorized to publish to mychat.<userid>, but that seems icky. Can I just get the session dictionary for normal subs/calls like the dynamic authorization call gets?

Nick T
  • 25,754
  • 12
  • 83
  • 121
  • Maybe like something from [here](https://github.com/crossbario/autobahn-python/blob/master/examples/twisted/wamp/rpc/options/backend.py) with `RegisterOptions`, `{disclose_me: true}`.... Need to check. – Nick T Nov 04 '15 at 00:27

1 Answers1

1

This is done via the publisher disclosure and caller disclosure. This currently only sends you a sessionID, and you need to get the other data about the session via a session meta call. The sessionID is sent by the router, so cannot be spoofed by a client.

gzost
  • 2,375
  • 1
  • 18
  • 25