Callee exposed to autobahn js client

thug3r · December 21, 2020, 12:47pm

Hello,

At some point autobahnJs clients started to receive callee information for each RPC request. Is this a bug or a feature? And is there a way to disable it?

Example request/response copied from firefox dev tools

autobahnJS -> crossbar -> autobahnPython backend

request [48,1,{},“com.example.get_data”]
response [50,1,{“callee”:1234567890,“callee_authrole”:“backend”},[7]]

Tested with the latest crossbar/autobahn versions. Can be replicated with this example:

meejah · December 21, 2020, 4:34pm

Hello,

There is an option to disclose this information or not. See https://crossbar.io/docs/Caller-Identification/#caller-identification

thug3r · December 22, 2020, 1:45pm

Hello meejah,

I got no problems with caller information disclosure. The problem is that the autobahnJs client can see backend’s sessionid and authid in response to his rpc requests. The callee information is disclosed, not callers.

http client request [48,1,{},“com.example.get_data”]
backend response to com.example.get_data -> [50,1,{“callee”:1234567890,“callee_authrole”:“backend”},[7]] (backend responds with value 7 and discloses its session ID and authrole)