Comments (7)
For reference, here's a custom permissions handler I wrote for this:
const ConfigPermissionHandler = require('deepstream.io/src/permission/config-permission-handler')
...
// Wrapper around ConfigPermissionHandler to handle verifying searches ourselves.
class CustomPermissionsHandler extends ConfigPermissionHandler {
constructor () {
// Deepstream already needs to be initialized, and the permissions configuration needs to be passed or in the options object.
super(deepstream._options, require('./deepstream-config/permissions.json'))
}
// This is the important part.
canPerformAction (username, message, callback, authData) {
// Special logic if this is a search query.
if (message.data && message.data[0] && message.data[0].indexOf('search?') !== -1) {
try {
// Parse the query payload.
const searchPayload = JSON.parse(message.data[0].split('?')[1])
// Create a new message replacing the search query with the target table name.
const tableMessage = Object.assign({}, message)
tableMessage.data = [searchPayload.table, searchPayload]
Promise.all([
// Run permissions checker twice, first for the search query message, then for the table access message.
new Promise((resolve, reject) => {
super.canPerformAction(username, message, (...args) => {
resolve(args)
}, authData)
}),
new Promise((resolve, reject) => {
super.canPerformAction(username, tableMessage, (...args) => {
resolve(args)
}, authData)
})
])
.then(results => {
// If any of those results are false, deny the request.
const finalAllowDeny = results.reduce((acc, result) => acc && result[1], true)
// results[0] is the most "accurate" permission check, so use any metadata for that that comes through.
callback(results[0][0], finalAllowDeny)
})
} catch (e) {
// Handle permission errors here. Passing false denies the request attempt.
callback('Permissions Validation Error.', false)
}
// Otherwise pass it on to the normal handler.
} else {
super.canPerformAction(username, message, (...args) => {
callback(...args)
}, authData)
}
}
}
...
deepstream.set('permissionHandler', new CustomPermissionsHandler())
It basically sends two checks for search queries. One passes the full search query as expected, the other only passes the table name, allowing you to allow/deny with normal valve table rules.
Seems to work okay, but I'm not sure I understand ConfigPermissionsHandler well enough to guarantee that it works 100% of the time.
from deepstream.io-provider-search-rethinkdb.
Will the current alternative be to use RPC calls and implement queries on the backend (if you want security)? And then RPC calls can be protected by Valve?
(I am evaluating Deepstream for a realtime project.)
from deepstream.io-provider-search-rethinkdb.
Is it possible to extract the table being queried in Valve to then check via cross reference whether a user should have access to it?
Something like
record:
"search?$queryString":
create: "_('permissions/' + user.data.userId).allowedSearches.indexOf($queryString.table) > -1"
Just not sure how to extract the table name from $queryString
from deepstream.io-provider-search-rethinkdb.
Maybe this will work:
record:
"search?$queryString":
create: '_("permissions/" + user.data.userId).allowedSearches.indexOf($queryString.match(/{"table":"(.*?)",/)[1]) > -1'
from deepstream.io-provider-search-rethinkdb.
Pretty bad news indeed...
Is it possible to mitigate the issue using a restricted rethinkdb user for the search provider (in rethinkdbConnectionParams) ?
This user would be granted only "public" tables ?
from deepstream.io-provider-search-rethinkdb.
Has the code by @JoshTheDerf been incorporated into the community version of Deepstream? I'm afraid without permissions enforcement, this security loophole is going to be very bad for Deepstream.
from deepstream.io-provider-search-rethinkdb.
from deepstream.io-provider-search-rethinkdb.
Related Issues (20)
- Cannot get all records on a table with an empty query HOT 1
- Own record subscription results in non-robust programming style suggestion HOT 4
- Query should support `in` operator
- search should support `Date`s in rethink HOT 1
- Query should support `ge` and `le`
- Resolve search results race condition
- primaryKey should be configurable HOT 1
- Query on path properties HOT 5
- Why do you need create record valve permission to getList('search?' + queryString)? HOT 1
- How to specify sort order (orderBy) in queryString? HOT 1
- Crashing - probably on too-fast unsubscribe based on the trace HOT 2
- Consider rewritten version HOT 2
- Multiple subscription error HOT 1
- Add «OR» operator
- Cannot read property 'name' of null HOT 1
- how can I use this plugin with deepstreamhub community version HOT 1
- Bug: Complex search queries cause primary key to be too long HOT 1
- Query should support `contains` operator HOT 1
- How should I distinguish when a generared list has recieved an initial value from the server? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deepstream.io-provider-search-rethinkdb.