On 3/30/15 9:18 AM, Tobias Oberstein wrote:
> > authid is passed to all RPC calls when disclosure is turned on
>
> This is where I disagree. The authid is just one info of potential
> interest. Another developer asked for transport level info (like Cookies
> from WebSocket handshake).
>
> It doesn't make sense to forward this bulky info on _each and every_
> call forwarded.
>
> Instead, you can retrieve it when needed by calling "|wamp.session.get"
> ...| you might cache it yourself, or you might just call
> "wamp.session.get" each time you need it.
Right now, you are sending a 'caller' detail which is the session_id of
the WAMP connection. What good is this data to me? ... I want the
unique Id of my caller instead. I see the unique id of my connected
client as another RPC parameter. For example, myfunc(a, b, c)
com.example.myfunc ( [ a, b, c, ] )
And Ideally, account_id ("authid") would be in this list of parameters also:
com.example.myfunc ( [ a, b, c, authid ] )
We can't trust the data to come from the client, but we can trust it to
come from Crossbar since Crossbar stores the data after authentication.
So, let's have crossbar pass that info in the details:
com.example.myfunc ( [ a, b, c ], {}, { authid: ... } )
But what you are telling me is that there is much information that would
be in details, so you want to remove it all and instead send a reference
ID that can be used to look up the data later using wamp.session.get!
com.example.myfunc ( [a, b, c], {}, { caller: ... } )
But, now I have to write this code at the top of all of my RPC calls:
account_id = call_wamp_session_get_to_find_authid(callerid);
So, there's a round-trip sub-request to look up the data that you didn't
want to send in the first place! How is that *more* efficient? I
understand that I can cache that lookup in my back-end caller, but what
will that cache look like?
caller "session_id" ---> authid
Does that look familiar? It should, because you *already* have that map
inside Crossbar itself! Why are we duplicating effort here?
What I'm complaining about is that WAMP clients are being forced to
write a layer of code we didn't have to write before. This is a task
that can easily be (and is already being) handled by Crossbar itself.
How about Crossbar adds a configuration value into config.json that
allows us to choose which "details" info are forcefully passed to all
back-end clients? Perhaps an array of names?
"realms" : [ {
...
"roles" : [ {
"id" : "backend",
"name" : "backend",
"permissions" : [ {
"uri" : "*",
"publish" : true,
"subscribe" : true,
"call" : true,
"register" : true
} ],
"force-details" : [ "authid", ... ]
},
By doing this, Crossbar only needs to send a small piece of data (authid
is an integer for me), and can save a lot of work having to look up and
cache this information. Crossbar already has the map, why force another
round-trip call to wamp.session.get when we *know* that call needs to
happen every time anyhow.
With an implementation like "force-details", you also solve the problem
that requires all callers to request 'disclose_me' : true on every call
(isn't that also a waste of payload?). Now, backend role can request
the 'authid' id for each and every RPC request. Clients don't have to
add the disclose me request, and backend WAMP clients don't have to
maintain a caller to account id cache or lookup function.
-- Dante