Reporting back. Using existing libraries, this is much simpler than I was making it. Here's some sample Python code which posts "Hello, World!" to topic ID 2. Thanks, @julian, for telling me about socket.io.
from socketIO_client import SocketIO, LoggingNamespace import requests import json session = requests.Session() csrf_token = json.loads(session.get('http://yourdomain:port/api/config').text)['csrf_token'] headers = { 'x-csrf-token': csrf_token } data = { "username": "yourUsername", "password": "yourPassword" } response = session.post("http://yourdomain:port/login", headers=headers, data=data) def on_response(*args): print('on_response', json.dumps(args)) with SocketIO('yourdomain', port, LoggingNamespace, cookies=session.cookies.get_dict()) as s: s.emit('posts.reply', {'tid': 2, 'content': "Hello, World!"}, on_response) s.wait_for_callbacks(seconds=1)Security logging?
-
So, there are certain events which should definitely be logged for administrative review. For example, if my plugin detects a socket request that seems maliciously invalid, it should be logged.
Right now I'm using winston.error and dumping the socket info / specific error info.
Is this correct? Should there be some other logging mechanism for potential attacks/malicious users? Ideally any time something like that occurs, the IP of the attacker should be dumped to the log.
-
Does this help? gh#150
-
Yeah, events.js seems like it should contain the functionality for this. It currently only logs UID, but a lot of those functions should probably log the IP of the triggering party as well.
It seems like the only way to do that is to have IP be a parameter for most of those calls. That's a little tedious.
my fantasy: events are logged to the db as well as flatfile, have severity/importance levels, contain as much info as possible about who triggered it if the logging fn is passed a socket or request object, there's hooks for events of high severity, by default sends email or notification to admins when high-sev occurs