Handle dynamic authorization error

#1

Hi to all,

I have a web app that uses Crossbar and Autobahn with React on the frontend.
I’m using dynamic authorization to determine if a session has expired and if it has, deny access to RPC calls.

So far, inside my session authorizer function on the backend:
async def session_authorizer(dbcon, dbapi, logger, session, uri, action, options):

I return a reply like this:
reply = {
‘allow’: False,
‘disclose’: True,
‘cache’: True
}
and an error is logged on my browser’s console:
Potentially unhandled rejection [6] {"error":"wamp.error.not_authorized","args":["session is not authorized to call procedure 'com.panel.func'"],"kwargs":{}} (WARNING: non-Error used)

So, the session_authorizer function correctly denies access to the caller. But I want to do some actions on the frontend if the user is no longer, authorized. Is there a way to do that?

I have trouble finding how and where to catch the not_authorized error on the frontend.

Is there a way for Crossbar to ‘notify’ the frontend that the user is no longer authorized and allow me to do the actions I want (log him out)?

The session_authorizer function is called by Crossbar itself so I can’t use its response to trigger actions.

#2

How do you decide if a user is “no longer authorized”?

In that code (sounds like session expiry or similar?), you could do something to alert the JS side: publish() to a particular topic, or call some method that particular client has registered. Or, even just “assume” on the client-side that a denied call means you’ve been de-authorized (if you’ve been authorized one already).

#3

Thanks @meejah.
How do you decide if a user is “no longer authorized”?
In our DB, we store the status and public key’s expiry date of a user’s session.
On the backend, we do a check inside session_authorizer and if the session has expired, access to the RPC call is denied.

So, the moment the user tries to call an RPC, the session_authorizer runs and checks the session.
If access is denied, I want to catch that error thrown on the frontend and log out my user.

I appreciate the ways you suggested, however I want to point out that the error already is exposed on the frontend. Instead of opening a new communication channel between the backend and the frontend, isn’t there a way for this error to bubble up from the library level to a level the frontend can catch it?

Again, I see this error:
Potentially unhandled rejection [6] {"error":"wamp.error.not_authorized","args":["session is not authorized to call procedure 'com.panel.func'"],"kwargs":{}} (WARNING: non-Error used)

on my browser console and if I’m not mistaken, the docs say this is an ApplicationError thrown by Autobahn.

Or, even just “assume” on the client-side that a denied call means you’ve been de-authorized
That’s what I’m looking for, how does the frontend become aware that a denied call means you’ve been de-authorized? So far, the only thing I’ve found Autobahn offers, is that if you’re de-authorized, calls to RPCs are denied but not a way to take action after this happens.

All I’m looking for is a way to catch that error somehow on the frontend. So far I haven’t found a way to do it via Autobahn’s methods. So, perhaps there isn’t one or there is one I am not aware of.

#4

Oh, I see – you’re just asking “how do I see that error in JS code”?
(That should definitely be available, but I’ve not use the JS frontend very much)