I have a PHP application that is already up and running and we have to implement a chat messaging system in it. We chose to do this with nodejs and socket.io as it seems the most effective and one of the best documented. I have PHP handling all the DB stuff and node just doing what it's most effective at: nonblocking io to update the client side when a message is received real time (through rooms). I also have a token based authentication going on using jsonwebtokens.
Everything is actually running well now:
When someone sends a message
1. JS send an ajax request to PHP
2. PHP saves the message to the database
3. PHP returns a response
4. JS receives the ajax response and then emits an event to signal to the node to update the appropriate clients
5. Node emits an event to the appropriate clients to update their views: notif icons, creates a silly sound and what not.
What I'm worried about are in steps 4 and 5. Since the data that will be passed to node in these steps are in the client side, any rogue user can effectively make modifications to these data and potentially be able to trigger an update of a view of another user even if he is not the intended receiver. The obvious solution I that I can think of is to allow node to have access to the database and validate that only the legitimate recipient will receive the event trigger, but that defeats the purpose of separating the concerns of the PHP app and node. What is the standard way of handling such a situation?
