Plugin websocket communication security

Solved Plugin Development
  • So I'm currently trying to figure out the plugin development with NodeBB. I think I finally found out how the whole communication between a page in the ACP and the plugin works. But I'm now facing a security concern that I'm unclear how to solve.

    Actually the problem is twofold:

    1. If I expose functions in the plugin, what is the best way to make sure that only administrators can call them? Looking at other plugins like the Shoutbox plugin, they add their plugin functions to the admin object. Thus resulting in calls to admin.plugins.my-great-plugin.my-great-function. This way they use the before function in the admin object that makes sure that only an administrator can call the function. Is this the preferred way to do it? Or should I stay out of this namespace?
    2. If I send events to the client, how can I make sure those are only received by an administrator? As far as I could tell everyone that is logged in can join the admin room. Thus if my plugin sends events to the admin room everyone can receive them. Just open your web console and type in app.enterRoom('admin') and you receive all those events. What can I do to prevent this?
    1. Yes put them in admin.plugins.yourPlugin.yourMethod so the before method is called.
    2. You can send the messages to the room uid_<uid_of_user> other users can't join that room.
  • Thank you for the answer.

    Regarding the second point: But thus the message would only be received by one user. So if there is only one administrator this wouldn't be a problem. But if there are multiple administrators?

    To be honest I don't have a use case for this. Putting it in the uid_<uid_of_user> room would be enough for me. So the question is just out of curiousness.

  • You can get all the administrator uids and send them each.
    Some untested sample code

    groups.getMembers('administrators', 0, -1, function (err, uids) {
        uids.forEach(function(uid) {
             websockets.in('uid_' + uid).emit('someEvent', someData);
        });
    });
    
  • Again, thank you for the prompt answer!


Suggested Topics