Solved Plugin websocket communication security

Plugin Development
Log in to reply
  • Dravere

    So I'm currently trying to figure out the plugin development with NodeBB. I think I finally found out how the whole communication between a page in the ACP and the plugin works. But I'm now facing a security concern that I'm unclear how to solve.

    Actually the problem is twofold:

    1. If I expose functions in the plugin, what is the best way to make sure that only administrators can call them? Looking at other plugins like the Shoutbox plugin, they add their plugin functions to the admin object. Thus resulting in calls to admin.plugins.my-great-plugin.my-great-function. This way they use the before function in the admin object that makes sure that only an administrator can call the function. Is this the preferred way to do it? Or should I stay out of this namespace?
    2. If I send events to the client, how can I make sure those are only received by an administrator? As far as I could tell everyone that is logged in can join the admin room. Thus if my plugin sends events to the admin room everyone can receive them. Just open your web console and type in app.enterRoom('admin') and you receive all those events. What can I do to prevent this?
    0
  • baris
    NodeBB Admin

    1. Yes put them in admin.plugins.yourPlugin.yourMethod so the before method is called.
    2. You can send the messages to the room uid_<uid_of_user> other users can't join that room.
    0
  • Dravere

    Thank you for the answer.

    Regarding the second point: But thus the message would only be received by one user. So if there is only one administrator this wouldn't be a problem. But if there are multiple administrators?

    To be honest I don't have a use case for this. Putting it in the uid_<uid_of_user> room would be enough for me. So the question is just out of curiousness.

    0
  • baris
    NodeBB Admin

    You can get all the administrator uids and send them each.
    Some untested sample code

    groups.getMembers('administrators', 0, -1, function (err, uids) {
    uids.forEach(function(uid) {
         websockets.in('uid_' + uid).emit('someEvent', someData);
    });
});
    1
  • Dravere

    Again, thank you for the prompt answer!

    0

Suggested Topics

| | |

Copyright © 2022 NodeBB | Contributors

Get Started

Resources

Company

Start Free Trial
Github Facebook Instagram Twitter
© 2014 – 2022 NodeBB, Inc. — Made in Canada.