Plugin websocket communication security
-
So I'm currently trying to figure out the plugin development with NodeBB. I think I finally found out how the whole communication between a page in the ACP and the plugin works. But I'm now facing a security concern that I'm unclear how to solve.
Actually the problem is twofold:
- If I expose functions in the plugin, what is the best way to make sure that only administrators can call them? Looking at other plugins like the Shoutbox plugin, they add their plugin functions to the
adminobject. Thus resulting in calls toadmin.plugins.my-great-plugin.my-great-function. This way they use thebeforefunction in theadminobject that makes sure that only an administrator can call the function. Is this the preferred way to do it? Or should I stay out of this namespace? - If I send events to the client, how can I make sure those are only received by an administrator? As far as I could tell everyone that is logged in can join the
adminroom. Thus if my plugin sends events to theadminroom everyone can receive them. Just open your web console and type inapp.enterRoom('admin')and you receive all those events. What can I do to prevent this?
- If I expose functions in the plugin, what is the best way to make sure that only administrators can call them? Looking at other plugins like the Shoutbox plugin, they add their plugin functions to the
-
- Yes put them in
admin.plugins.yourPlugin.yourMethodso the before method is called. - You can send the messages to the room
uid_<uid_of_user>other users can't join that room.
- Yes put them in
-
Thank you for the answer.
Regarding the second point: But thus the message would only be received by one user. So if there is only one administrator this wouldn't be a problem. But if there are multiple administrators?
To be honest I don't have a use case for this. Putting it in the
uid_<uid_of_user>room would be enough for me. So the question is just out of curiousness.
-
You can get all the administrator uids and send them each.
Some untested sample codegroups.getMembers('administrators', 0, -1, function (err, uids) { uids.forEach(function(uid) { websockets.in('uid_' + uid).emit('someEvent', someData); }); });
-
Again, thank you for the prompt answer!
