4

Using sails sockets. From a browser I can get all 'tasks' where the user id is 1. I can now listen for the 'task' event and look for 'created' in the verb to get new tasks and add them to the list.

However I get events from ALL created tasks regardless of user. This seems to be me as a major security issue. All someone needs to do jump into the console and set up a listener to get notified whenever any user creates a new task.

I had a look around for sometime but can't find any posts on the topic. Being new to this kind of thing - can someone be kind enough to help out?

What is the best practise for dealing with lists over socket.io in Sails?

Cheers!

MickCrozier
  • 312
  • 1
  • 8

1 Answers1

1

This should be what you're looking for; it prevents you from subscribing to all existing tasks on the client side. It only subscribes if you're logged in and only to tasks that belong to you. Keep in mind that this is just a first-step in implementing a secure REST API for your app - but it should get you started.

In your client-side app you'd write:

socket.on('connect', function socketConnected()
{
    // This subscribes the user to all tasks that belong to him and only him.
    socket.get('/task/subscribe', null, function response(data, jwres)
    {
        // We don’t really care about the response.
    });

    // This 1.) creates a new task and 2.) subscribes the user to that task.
    // If the 'rest' blueprint is on, POSTing to /task gets redirected to TaskController.create automatically by sails.
    // If it's not on, you write "socket.get('/task/create' ..."
    socket.post('/task', {name : 'MyNewTask'}, function response(data, jwres)
    {
        // Add the created task inside of 'data' to your client side app.
    });
})

Then in TaskController.js you would write:

subscribe : function(req, res)
{
    // Is the user logged in?
    if(!req.session.user)
    {
        return res.badRequest();
    }

    // Find all tasks that belong to the currently logged in user.
    Task.find({userID : req.session.user.id}, findUsersCB(err, tasks)
    {
        // Subscribe the user to all of his tasks.
        Task.subscribe(req.socket, tasks);

        // Send user's tasks back to the client.
        res.json(tasks);
    });
}

create : function(req, res)
{
    //Is the user logged in?
    if(!req.session.user)
    {
        return res.badRequest();
    }

    var taskToBeCreated = 
    {
        name : req.param('name'),
        userID : req.session.user.id;
    };

    // Attempt to create the given task.
    Task.create(taskToBeCreated, function createTaskCB(err, createdTask)
    {
        // Subscribe the user to the newly-created task.
        Task.subscribe(req.socket, createdTask);

        // Send user's task back to the client.
        res.json(task);
    });
}

I haven't shown an example for the 'update' and 'destroy' actions but the idea is the same for both.

Alex Alksne
  • 528
  • 5
  • 13
  • Thanks Alex the prompt reply. However in your code there is no events sent to socket subscribers when a new task is created. I believe this is where my issue is; using publishCreate as the sails docs suggest and is used in the blueprints sends the created event to ALL subscribers - whether or not they are authorized. – MickCrozier May 03 '15 at 00:14
  • Actually, you would need a Model.watch in there as well to subscribe to the create/destroy events. But how do we stop them from being broadcast to everyone? – MickCrozier May 03 '15 at 00:28
  • Hm, I just want to clarify, are you looking to only notify the user when a task the belongs to him has been changed/deleted? – Alex Alksne May 03 '15 at 01:36
  • Both of those - also when a new task has been added to the list from another location such as mobile device. User/task not a good example (I'm abstracting for simplicity). More realistically: a Group can have many Tasks, and also has many Users. So each user in the Group would be able to crud the task list; When adding a new task the groups associated users need to be notified (and then subscribe to) the new task. Which is all reasonably straight forward in sails - except how to I protect subscribers of the Group 1 task list from being notified that Group 2 has a new task. – MickCrozier May 03 '15 at 12:54