0

So I'm starting to use Redis and Socket.io to broadcast events to the client side. I'm using Laravel for the backend and will take advantage of their event functionality.

Based on a user's access level, I only want them to listen to certain channels. I figured I could dynamically set the channels they will listen to, but I was worried about whether or not they could use a debugging tool or the sort to change the channel they're listening to.

For example, maybe the page will load listening on 'channel-100', but can they alter the code so that it can listen to any other channel, like to 'channel-110'?

kenshin9
  • 2,215
  • 4
  • 23
  • 38

1 Answers1

2

I am not sure I can help specifically with Socket.io, but I can tell you how we have approached that in our realtime system, and this may apply to your problem.

Clients can request to attach to a channel, so it's the inverse of what you suggested i.e. clients decide what they listen to, server's don't decide. See how channels attach.

Now to address your concern of which clients can access which channels then, your Laravel app should be issuing a token that specifies what rights it has. As your Laravel app is responsible for identity management and knows who the user is, it is always best positioned to have this up to date information at any time. So your client should request a token from your Laravel app, which is passed to your Socket.io server, which should in turn then apply rules to allow / disallow requests to join those channels. That way your Socket.io server does not need to have any business logic embedded from your system, and issuing tokens is easy in your app.

See how we made token authentication can work with your app.

I realise it's not a direct answer, but I hope it helps how you think about it architecturally.

Matt, co-founder, Ably: simply better realtime

Matthew O'Riordan
  • 7,981
  • 4
  • 45
  • 59