How do I expire a client subscription from the Server?

[Hemal Athulathmudali]

I have a Faye server written in NodeJS and a web client using the Faye Web client. My code on the server already takes care of validating an incoming user subscription and issues a token back to the client. This token is a JWT token which expires in 1 minute. The client sends this token back to the server in each subsequent message it publishes to the server via a client side extension. The server validates this token using a server side Faye extension and does not publish messages containing any expired token to other clients (By setting the message.error field).

This works well for restricting clients with expired sessions from publishing. But it does not prevent them from receiving published messages even after the session has expired. For the time being I have an incoming Faye extension in the client side which detects the expiration error and makes it unsubscribe but this makes the design depend on the client side code for unsubscribing which is not ideal in terms of security IMO.

So may I know how to expire a subscription of a specific client from the server itself. Is this possible at all or are there any workarounds to achieve this other than depending on the client code?

My project source can be found on Github via the link below
https://github.com/harindaka/faye-poc/tree/678ac8491ed03309a2acde8df36bf9dca2d89c87

[Hemal Athulathmudali]

I'm wondering if it is possible to call something like `engine.destroyClient(clientId, function() {})` from the server object returned by `new faye.NodeAdapter(options)` as mentioned below

https://faye.jcoglan.com/node/engines.html

[Hemal Athulathmudali]

Ok I was able to do this by calling fayeServer._server._engine.destroyClient(clientId, function() {});. Note that I'm using the faye-redis engine. Can anyone confirm if this is the correct way to do this? Thanks.

[James Coglan]

On 25 August 2017 at 07:13, Hemal Athulathmudali <hari...@gmail.com> wrote:

Ok I was able to do this by calling fayeServer._server._engine.destroyClient(clientId, function() {});. Note that I'm using the faye-redis engine. Can anyone confirm if this is the correct way to do this? Thanks.

This will work, but you're breaking several abstraction boundaries here so this might interact weirdly with other Faye code and stop working in a future release.

If you want to forcibly disconnect a certain client you should send this message to the server:

    {"channel": "/meta/disconnect", "clientId": "[the client ID here]"}

Or, you could require authentication on the /meta/connect channel, rather than the /meta/subscribe one. The client polls for new messages using /meta/connect, and successful calls on that channel are what refresh the client's session with the Faye server. So if you make that return an error, the client's session will time out and it will have to get a new client ID and re-register its subscriptions.

[Hemal Athulathmudali]

Thank you James. I believe this should be in the documentation since it is an important functionality. Maybe I missed it when I went through it here https://faye.jcoglan.com/

[Hemal Athulathmudali]

Ok I see now this is part of the Bayeux protocol definition. Posting link here for anyone else who might be interested https://docs.cometd.org/current/reference/index.html#_bayeux