How do you check who is making an RPC call ?
62 views
Skip to first unread message
Michel Desmoulin
Aug 26, 2015, 12:20:22 PM8/26/15
to Autobahn
Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it's username.
How can I do that ?
How can I do that ?
Tobias Oberstein
Aug 26, 2015, 12:54:36 PM8/26/15
to autobahnws
You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn't set in stone .. we might also directly provide the authid/authrole in the call details .. saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.
Sent from Mobile (Google Nexus 5)
Am 26.08.2015 18:20 schrieb "Michel Desmoulin" <desmoul...@gmail.com>:
Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it's username.
How can I do that ?
--
You received this message because you are subscribed to the Google Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.
To post to this group, send email to autob...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rejo
Aug 26, 2015, 1:02:18 PM8/26/15
to Autobahn
The choice could be made with a specific option in the 'register' call
Michel Desmoulin
Aug 26, 2015, 1:24:05 PM8/26/15
to Autobahn
Thanks. For the next ones looking for it, it's here : http://crossbar.io/docs/Caller-Identification/
This trade off could be configurable though.
Adding an additional 20ms of back and forth to get the information seems a bit overkill, but I don't know what performance issues would cause sticking authid and authrole on the requests directly. Intuitively I feel like it's not more than what the additional requests you would do most of the time, but it's hard to know how often you need this info and how long it takes to make the additional call on a real site.
My vote is for the inclusions of at least authid + a parameter to allow the registration to require { disclose_me: true } from clients the so we can have a standard error for that if they don't set it on. Or a decorator checking for it. Probably easier to implement, and will not overload the router.
Michel Desmoulin
Aug 26, 2015, 2:27:07 PM8/26/15
to Autobahn
I manage to use the disclose_me parameter on the caller :
session.call('com.example.add2', [2, 3], {}, { disclose_me: true })
But I can't find a way to read the details on the callee:
def add2(*args, **kwargs):
print("add2() called with {} and {}".format(args, kwargs))
return x + y
yield self.register(add2, 'com.example.add2')
this only print the ordinary parameters. I'm on the last version of crossbar.
session.call('com.example.add2', [2, 3], {}, { disclose_me: true })
But I can't find a way to read the details on the callee:
def add2(*args, **kwargs):
print("add2() called with {} and {}".format(args, kwargs))
return x + y
yield self.register(add2, 'com.example.add2')
this only print the ordinary parameters. I'm on the last version of crossbar.
Rejo
Aug 27, 2015, 4:31:35 AM8/27/15
to Autobahn
You need to ask for details_args in subscribe's options
Alexander Gödde
Aug 27, 2015, 5:27:06 AM8/27/15
to Autobahn
Hi Michel,
the caller details are provided as a third argument, so you have (args, kwargs, details).
Regards,
Alex
Michel Desmoulin
Aug 27, 2015, 9:05:52 AM8/27/15
to Autobahn
There is not subscribe, it's a RPC.
Michel Desmoulin
Aug 27, 2015, 9:10:13 AM8/27/15
to Autobahn
I used *args, and **kwargs. It doesn't appear in any of them. This notation catch all parameters.
The call (js):
session.call('com.example.add2', [2, 3], {}, { disclose_me: true }).then(
function (res) {
console.log("OK: call result received", res);
},
function (error) {
console.log("ERROR: call error (and this have succeeded!!)", error);
}
);
The remote procedure:
The call (js):
session.call('com.example.add2', [2, 3], {}, { disclose_me: true }).then(
function (res) {
console.log("OK: call result received", res);
},
function (error) {
console.log("ERROR: call error (and this have succeeded!!)", error);
}
);
The remote procedure:
def add2(*args, **kwargs):
print("add2() called with {} and {}".format(args, kwargs))
return sum(args)
reg = yield self.register(add2, 'com.example.add2')
The output:
add2() called with (2, 3) and {}
reg = yield self.register(add2, 'com.example.add2')
The output:
add2() called with (2, 3) and {}
Rejo
Aug 27, 2015, 10:01:53 AM8/27/15
to Autobahn
oups.. I meant 'register'... (and RegisterOptions)
Michel Desmoulin
Aug 27, 2015, 10:18:03 AM8/27/15
to Autobahn
TY it worked.
For the one wondering about the solution:
from autobahn.wamp.types import RegisterOptions
options = RegisterOptions(details_arg = "details")
reg = yield self.register(add2, 'com.example.add2', options)
For the one wondering about the solution:
from autobahn.wamp.types import RegisterOptions
options = RegisterOptions(details_arg = "details")
reg = yield self.register(add2, 'com.example.add2', options)
Reply all
Reply to author
Forward
0 new messages