Sorry guys, I set out to do it Monday morning, but then a little shit storm happened at my company and I didn't get to it :/
I'll try to give you a quick overview of what I'm doing. If you want to know more details just ask.
Before I begin, I want to say that I am no security expert so please don't take this with caution.
As of 0.7 sharejs does not provide any way of socket connection as the case was previous, so you have to roll your own. This makes things a lot more flexible and easier in my opinion and works very well. I'm using sockjs [1] as the underlying library to actually create a socket connection. To make this work you have to use transport-adapters [2] and my fork of sharejs [3] which will be merged hopefully soon. The transport adapters repository has a simple working example on how to set up a basic connection without authentication in examples/sockjs.
So establishing a connection with sharejs on the server are two parts:
1. Establish a socket connection with sockjs.
2. Attach the socket connection to sharejs using the specified transport-adapter.
On the client there are two parts as well and the only difference is that there is no need for a transport-adapter.
For adding the first layer of authentication I use the gap between steps 1 and 2.
After the socket connection is established I sent as a first message a json object that identifies the client as having a valid session. If the first message that the server receives is not this object or the session is invalid the connection is terminated.
If the session checks out I add it to a list of connections, save the credentials under the connection id, make a note that it is a valid connection and send the client a message saying that it was authenticated. Only now the server and the client give the connection to sharejs.
The second layer of security is added using the new middleware feature of sharejs.
On the "connect", "subscribe", "fetch" and "submit" events I check using the saved credentials (looked up via the connection id) if the action is allowed for the given user and if not return an error/terminate the connection.
I hope this helps a bit, and if you have suggestion how this can be improved I'm happy to hear them.
Cheers
dignifiedquire
[1]
http://sockjs.org/
[2]
https://github.com/dignifiedquire/transport-adapters
[3]
https://github.com/share/ShareJS/pull/271
--
dignifiedquire
On November 21, 2013 at 7:13:13 PM, aslak hellesoy (
aslak.h...@gmail.com) wrote: