actionhero websocket and security

[frost...@gmail.com]

Hello,

I have an android application and I want to monitor who has the app started or not(by user id).

1. How can I do this with faye websocket?
2. How can I do this with plain sockets?

I'm not asking how I do this in android, but how I do it in actionhero and witch one is better.
I also use the "REST" part of actionhero, how I secure websocket and sockets in this case, because I want to use them only for this online users stats.

My result should be one page with realtime stats (for this I think websockets are the way for stats update).

I have low experience in nodejs and in WEB in general, please advice. I don't necessarily want code example, just advice and what to read to make it myself.

[Evan Tahler]

I'm giving your answer in reference to the soon-to-be released actionhero v9.0, which is currently the master branch on github.  Some parts of my answer won't work on the current version that is live on NPM today.  However, the kinds of features you are talking about is exactly why we made some of the upgrades!

-

In both cases (socket and websocket), you want to monitor the active connections.   On each sever the active connections are stored in a hash, `api.connections.connections`.  You can create an action that looks at this hash and provides an API to view summary information about the active connections.  Each connection also has some metadata, like `connection.type`, which will tell you if it is a "socket" or "websocket" client.

When your application grows, and you have more than one server/node/cluster, you can't inspect `api.connections` on all the servers, just the one you are connected to.  The solution here is to use actionhero's chat features.  Have all clients join a room (or many rooms), and you can ask each room `api.chatRoom.roomStatus(room, callback)` where (callback(err, details)) details will contain a list of `connection.id` for the folks currently in each room.  From there, if you need more information about each connection, you can use `api.connections.apply(client.id, callback)` to get information about a connection, regardless of which server it is connected to.  (callback is of the type (error, connection)).  

Alternatively, you can use a connection middleware to keep a list of connections in redis, which you can read for your status page.

-

Securing your websocket connections is mostly up to you.  Use HTTPS obviously, but other than that, the authentication scheme you wish to use is largely dependent on your application.  Usually in actionhero, authentication is done regarding rooms and actions.  Connections can join the server all they want, but doing either of these actions where we check the connection's status.  

Securing an action is usually done with one action "login" modifying a property of the `connection.originalConnection` (i.e.: `connection.originatlConnection.auth = true`), and then subsequent 'secure' actions checking for that property.  Your login action can cheek params, headers,cookies, etc. You can simply the authentication of subsequent actions with a middleware.

Securing the joining of chatrooms is done using `api.chatRoom.setAuthenticationPattern`, and follows a similar pattern.  Some notes are kept here

-

Also of note, in the near future we are replacing "faye" with "primus" as our websocket backend.

--
 Evan Tahler
 412.897.6361
 evant...@gmail.com

--
You received this message because you are subscribed to the Google Groups "actionHero.js" group.
To unsubscribe from this group and stop receiving emails from it, send an email to actionhero-j...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[frost...@gmail.com]

Thank you for the detailed answer.
You are right, In future I'll need more actionhero instances across multiple servers.
Right now I think plain sockets are better for android communication because you plan to replace faye and I'll have to replace my code also after this.
My plan is to use sockets to communicate with actionhero server and change room after connection.
I also have to receive some data from the clients through sockets, so I think I will execute an action trough socket, not use "say" because will generate traffic
and also all other socket connected clients will see the message (+ I don't know how to read id on server :)).
I also think, based on what I see in ah code, you announce all room clients that a new client has entered. This is also bad for me, because I don't need client to client communication. I want to get only client-server, but not
regular http because of those real time stats.

For the "dashboard" webpage i will need to use websockets, I don't want any page refresh.

So the plan is like this:
- android client connects to ah socket server and I changeRoom to private room so each client will be alone is his room - no extra messages and things (I can intercept trough connection middleware the connection and increment some redis key - or use ah stats)
Q. How I announce this (new client connected / disconnected) trough websocket for page update?
- android client executes some action and sends some data.
Q. How I announce websocket?

Thank you for helping me.

[Evan Tahler]

The only way to tell when folks leave and enter a room is by the announcements that you don't want.  You can ignore them on the client, but if you want to ignore these types of messages, I think you should be able to.  I'll add a new verb to `silenceAnnouncments` clients can call when they enter rooms [[ https://github.com/evantahler/actionhero/issues/405 ]].  This way the ws client can opt to keep the announcements, and the socket clients won't be annoyed by these messages.

--
 Evan Tahler
 412.897.6361
 evant...@gmail.com

[Evan Tahler]

This has been replaced with a chat middleware, and is released as part of v9.0.0 https://github.com/evantahler/actionhero/pull/407

To unsubscribe from this group and stop receiving emails from it, send an email to actionhero-js+unsubscribe@googlegroups.com.