How can a server method get info about the client connection?

13 views
Skip to first unread message

Jens Alfke

unread,
Dec 16, 2021, 12:41:19 PM12/16/21
to Cap'n Proto
Now that I've implemented authenticated connections, I need my server-side methods to be able to find out the identity (public key) of the connected peer. So for example, my method LibraryImpl::checkoutBook(isbn) needs to check the identity of the client (as given in the SecretHandshake when connecting) to determine if they have permission to get that book.

(A different example that doesn't involve SecretHandshake is one where a server-side method wants to look at the IP address of the client. Or, if using TLS, the client's TLS cert.)

What's the best way to do this? I'm using my modified version of EzRpcServer, and I'm getting familiar with its innards but I can't claim to really understand this stuff yet. It appears that the "mainInterface" capability vended by the server is a singleton, shared by all clients, so I can't stuff per-client info into it. The point of vending is the restore() method, but that method can't tell what client it's being called on behalf of...

--Jens

Kenton Varda

unread,
Jan 12, 2022, 12:27:39 PM (11 days ago) Jan 12
to Jens Alfke, Cap'n Proto
Hi Jens,

Sorry again for the delay in replying.

The trick here is that you want to construct your "bootstrap" capability with knowledge of the client, and pass that knowledge on to any capabilities that you pass to that client. So you'd end up with a different server object for each connected client. This approach plays nicely with Cap'n Proto's capability-based security model, whereas attaching authentication information to individual RPC calls would go against capability-based security. This becomes especially important in scenarios where lots of different objects are being passed around between a bunch of nodes.

The C++ RPC implementation has something called "BootstrapFactory" which helps you arrange to create a new bootstrap for each client.

-Kenton

--
You received this message because you are subscribed to the Google Groups "Cap'n Proto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/capnproto/b89502d7-8450-4f97-8c3a-ffdb9a4b4663n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages