node.js and juggernaut pub/sub

Question

I'm using express framework and juggernaut. I looked at many examples about juggernaut, all examples using this method(client side):

  var jug = new Juggernaut;
  jug.subscribe("channel_name", function(data){
    console.log("Got data: " + data);
  });

Is it secure? I don't think so, everybody can subscribe to a channel from javascript console. Is there a way to subscribe a channel from server side?

What should be insecure about it? Also, do you you want to subscribe to Juggernaut that's running on **another** server, or on the same one? — Ivo Wetzel, Jan 09 '11 at 21:50
I take the example from here: https://github.com/maccman/juggernaut. As you can see, you can subscribe to a channel from browser. I want private channels in my application, so this way is insecure for me. I want to check session then allow subscription. — sfs, Jan 12 '11 at 12:06

score 1 · Answer 1 · answered Jan 30 '11 at 08:02

1

Use security through obscurity, use a random channel name (HMAC).

answered Jan 30 '11 at 08:02

Alex MacCaw

984
1
6
19

Indeed I'm finding this is the only way to have somewhat secure channels in most pubsub systems (PubNub, Redis also) – Alex Neth Nov 29 '11 at 01:54

score 0 · Answer 2 · answered Mar 02 '11 at 16:19

I don't know how Juggernaut works, but I know that Faye supports extensions that can include authentication, so that subscribe operations require a valid token. See: http://faye.jcoglan.com/node.html

It would be worth checking whether Juggernaut supports a similar extension/intercept model.

node.js and juggernaut pub/sub

2 Answers2