How do you check who is making an RPC call ?

#1

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

0 Likes

#2

You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn’t set in stone … we might also directly provide the authid/authrole in the call details … saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.

···

Sent from Mobile (Google Nexus 5)

Am 26.08.2015 18:20 schrieb “Michel Desmoulin” desmoul...@gmail.com:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to autob...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#3

The choice could be made with a specific option in the ‘register’ call

···

Le mercredi 26 août 2015 18:54:36 UTC+2, Tobias Oberstein a écrit :

You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn’t set in stone … we might also directly provide the authid/authrole in the call details … saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.

Sent from Mobile (Google Nexus 5)

Am 26.08.2015 18:20 schrieb “Michel Desmoulin” desmo...@gmail.com:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#4

Thanks. For the next ones looking for it, it’s here : http://crossbar.io/docs/Caller-Identification/

This trade off could be configurable though.

Adding an additional 20ms of back and forth to get the information seems a bit overkill, but I don’t know what performance issues would cause sticking authid and authrole on the requests directly. Intuitively I feel like it’s not more than what the additional requests you would do most of the time, but it’s hard to know how often you need this info and how long it takes to make the additional call on a real site.

My vote is for the inclusions of at least authid + a parameter to allow the registration to require { disclose_me: true } from clients the so we can have a standard error for that if they don’t set it on. Or a decorator checking for it. Probably easier to implement, and will not overload the router.

···

On Wednesday, August 26, 2015 at 6:20:22 PM UTC+2, Michel Desmoulin wrote:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

0 Likes

#5

I manage to use the disclose_me parameter on the caller :

session.call(‘com.example.add2’, [2, 3], {}, { disclose_me: true })

But I can’t find a way to read the details on the callee:

  def add2(*args, **kwargs):
     print("add2() called with {} and {}".format(args, kwargs))
     return x + y

  yield self.register(add2, 'com.example.add2')

this only print the ordinary parameters. I’m on the last version of crossbar.

···

On Wednesday, August 26, 2015 at 6:54:36 PM UTC+2, Tobias Oberstein wrote:

You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn’t set in stone … we might also directly provide the authid/authrole in the call details … saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.

Sent from Mobile (Google Nexus 5)

Am 26.08.2015 18:20 schrieb “Michel Desmoulin” desmo...@gmail.com:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#6

You need to ask for details_args in subscribe’s options

···

Le mercredi 26 août 2015 20:27:07 UTC+2, Michel Desmoulin a écrit :

You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn’t set in stone … we might also directly provide the authid/authrole in the call details … saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.

Sent from Mobile (Google Nexus 5)

Am 26.08.2015 18:20 schrieb “Michel Desmoulin” desmo...@gmail.com:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I manage to use the disclose_me parameter on the caller :

session.call(‘com.example.add2’, [2, 3], {}, { disclose_me: true })

But I can’t find a way to read the details on the callee:

  def add2(*args, **kwargs):
     print("add2() called with {} and {}".format(args, kwargs))
     return x + y

  yield self.register(add2, 'com.example.add2')

this only print the ordinary parameters. I’m on the last version of crossbar.

On Wednesday, August 26, 2015 at 6:54:36 PM UTC+2, Tobias Oberstein wrote:

0 Likes

#7

Hi Michel,

the caller details are provided as a third argument, so you have (args, kwargs, details).

Regards,

Alex

···

Am Mittwoch, 26. August 2015 20:27:07 UTC+2 schrieb Michel Desmoulin:

You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn’t set in stone … we might also directly provide the authid/authrole in the call details … saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.

Sent from Mobile (Google Nexus 5)

Am 26.08.2015 18:20 schrieb “Michel Desmoulin” desmo...@gmail.com:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I manage to use the disclose_me parameter on the caller :

session.call(‘com.example.add2’, [2, 3], {}, { disclose_me: true })

But I can’t find a way to read the details on the callee:

  def add2(*args, **kwargs):
     print("add2() called with {} and {}".format(args, kwargs))
     return x + y

  yield self.register(add2, 'com.example.add2')

this only print the ordinary parameters. I’m on the last version of crossbar.

On Wednesday, August 26, 2015 at 6:54:36 PM UTC+2, Tobias Oberstein wrote:

0 Likes

#8

There is not subscribe, it’s a RPC.

···

On Thursday, August 27, 2015 at 10:31:35 AM UTC+2, Rejo wrote:

You need to ask for details_args in subscribe’s options

Le mercredi 26 août 2015 20:27:07 UTC+2, Michel Desmoulin a écrit :

You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn’t set in stone … we might also directly provide the authid/authrole in the call details … saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.

Sent from Mobile (Google Nexus 5)

Am 26.08.2015 18:20 schrieb “Michel Desmoulin” desmo...@gmail.com:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I manage to use the disclose_me parameter on the caller :

session.call(‘com.example.add2’, [2, 3], {}, { disclose_me: true })

But I can’t find a way to read the details on the callee:

  def add2(*args, **kwargs):
     print("add2() called with {} and {}".format(args, kwargs))
     return x + y

  yield self.register(add2, 'com.example.add2')

this only print the ordinary parameters. I’m on the last version of crossbar.

On Wednesday, August 26, 2015 at 6:54:36 PM UTC+2, Tobias Oberstein wrote:

0 Likes

#9

I used *args, and **kwargs. It doesn’t appear in any of them. This notation catch all parameters.

The call (js):

        session.call('com.example.add2', [2, 3], {}, { disclose_me: true }).then(
           function (res) {
              console.log("OK: call result received", res);
           },
           function (error) {
              console.log("ERROR: call error (and this have succeeded!!)", error);
           }
        );

The remote procedure:

  def add2(*args, **kwargs):
     print("add2() called with {} and {}".format(args, kwargs))
     return sum(args)

  reg = yield self.register(add2, 'com.example.add2')

The output:

 add2() called with (2, 3) and {}
···

On Thursday, August 27, 2015 at 11:27:06 AM UTC+2, Alexander Gödde wrote:

Hi Michel,

the caller details are provided as a third argument, so you have (args, kwargs, details).

Regards,

Alex

Am Mittwoch, 26. August 2015 20:27:07 UTC+2 schrieb Michel Desmoulin:

You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn’t set in stone … we might also directly provide the authid/authrole in the call details … saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.

Sent from Mobile (Google Nexus 5)

Am 26.08.2015 18:20 schrieb “Michel Desmoulin” desmo...@gmail.com:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I manage to use the disclose_me parameter on the caller :

session.call(‘com.example.add2’, [2, 3], {}, { disclose_me: true })

But I can’t find a way to read the details on the callee:

  def add2(*args, **kwargs):
     print("add2() called with {} and {}".format(args, kwargs))
     return x + y

  yield self.register(add2, 'com.example.add2')

this only print the ordinary parameters. I’m on the last version of crossbar.

On Wednesday, August 26, 2015 at 6:54:36 PM UTC+2, Tobias Oberstein wrote:

0 Likes

#10

oups… I meant ‘register’… (and RegisterOptions)

···

Le jeudi 27 août 2015 15:05:52 UTC+2, Michel Desmoulin a écrit :

There is not subscribe, it’s a RPC.

On Thursday, August 27, 2015 at 10:31:35 AM UTC+2, Rejo wrote:

You need to ask for details_args in subscribe’s options

Le mercredi 26 août 2015 20:27:07 UTC+2, Michel Desmoulin a écrit :

You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn’t set in stone … we might also directly provide the authid/authrole in the call details … saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.

Sent from Mobile (Google Nexus 5)

Am 26.08.2015 18:20 schrieb “Michel Desmoulin” desmo...@gmail.com:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I manage to use the disclose_me parameter on the caller :

session.call(‘com.example.add2’, [2, 3], {}, { disclose_me: true })

But I can’t find a way to read the details on the callee:

  def add2(*args, **kwargs):
     print("add2() called with {} and {}".format(args, kwargs))
     return x + y

  yield self.register(add2, 'com.example.add2')

this only print the ordinary parameters. I’m on the last version of crossbar.

On Wednesday, August 26, 2015 at 6:54:36 PM UTC+2, Tobias Oberstein wrote:

0 Likes

#11

TY it worked.

For the one wondering about the solution:

     from autobahn.wamp.types import RegisterOptions
     options  = RegisterOptions(details_arg = "details")
     reg = yield self.register(add2, 'com.example.add2', options)
···

On Thursday, August 27, 2015 at 4:01:53 PM UTC+2, Rejo wrote:

oups… I meant ‘register’… (and RegisterOptions)

Le jeudi 27 août 2015 15:05:52 UTC+2, Michel Desmoulin a écrit :

There is not subscribe, it’s a RPC.

On Thursday, August 27, 2015 at 10:31:35 AM UTC+2, Rejo wrote:

You need to ask for details_args in subscribe’s options

Le mercredi 26 août 2015 20:27:07 UTC+2, Michel Desmoulin a écrit :

You can enable caller details. Eg Crossbar.io supports that. What you get is (currently) the WAMP session ID of the caller that originates the call. And using the WAMP meta API of Crossbar.io, you can retrieve all session details, including authid and authrole. This isn’t set in stone … we might also directly provide the authid/authrole in the call details … saving an additional call. Thing is: there is a tradeoff, sending info directly with each and every call vs letting user code retrieve additional info on demand.

Sent from Mobile (Google Nexus 5)

Am 26.08.2015 18:20 schrieb “Michel Desmoulin” desmo...@gmail.com:

Once a client is authenticated, I need to check if he has the permission to make a specific action. For exemple, if it requests to modify some data belonging to a user, I need to check that it is indeed this user, with authid matching it’s username.

How can I do that ?

You received this message because you are subscribed to the Google Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send an email to autobahnws+...@googlegroups.com.

To post to this group, send email to auto...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/autobahnws/0de0ed67-917c-4ecc-aa39-6e019de14c21%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I manage to use the disclose_me parameter on the caller :

session.call(‘com.example.add2’, [2, 3], {}, { disclose_me: true })

But I can’t find a way to read the details on the callee:

  def add2(*args, **kwargs):
     print("add2() called with {} and {}".format(args, kwargs))
     return x + y

  yield self.register(add2, 'com.example.add2')

this only print the ordinary parameters. I’m on the last version of crossbar.

On Wednesday, August 26, 2015 at 6:54:36 PM UTC+2, Tobias Oberstein wrote:

0 Likes