0

I am little new to SSE - server sent events implementation.

What I am trying to do is: to maintain a security check before connecting to SSE urls.
For ex- I have an SSE url which the clients will connect to , through EventSource:

   new EventSource("http://my.example.com/deviceData");

So, not every client should be able to connect to it. I have to restrict it to some clients. How can I do that?

A code sample will be really helpful.

Ankit Kumar
  • 331
  • 4
  • 8
  • You secure it just like you would any other resource. That is the beauty of SSE. It is HTTP. – baynezy Nov 07 '17 at 09:53
  • 1
    also check out the accepted answer here: [https://stackoverflow.com/questions/20324657/eventsource-sse-server-sent-svents-security](https://stackoverflow.com/questions/20324657/eventsource-sse-server-sent-svents-security) – obotezat Aug 23 '18 at 09:11

1 Answers1

0

If the restriction is by IP, your server-side script can look at the headers and reject based on that. (It could also reject based on any of the other headers, but most of them can be forged, e.g. user-agent.)

If you are after the using logging in, you should use cookies. The simplest way is to have a login form on my.example.com that validates the user, and sends back a cookie. That cookie will then be sent to your SSE script, which can use its contents to validate the user. (If using this approach, you may also want to use https URLs: make sure both the login form and the SSE script are both on https, in that case.)

Darren Cook
  • 27,837
  • 13
  • 117
  • 217
  • But the SSE urls which I am exposing, those can be used even without logging in (Suppose I want to test SSE via curl command). So, in such case, how will you validate as you cannot post any data via EventSource API(it doesn't support that). – Ankit Kumar Nov 08 '17 at 11:31
  • You still have an IP address when using curl, even if it is 127.0.0.1; so set your script to allow that one. Or, curl can also be set up to use cookies (e.g. https://stackoverflow.com/a/31255914/841830 ) – Darren Cook Nov 08 '17 at 13:38