New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mercure publishes to topic JWT token should not be allowed to #579
Comments
This is the intended behavior (as described in the spec). It's why there is the |
@dunglas Ok thanks for your quick reply. Can you suggest how to implement private publishing topics for client-to-client behavior or if this has to be done through a backend proxy service? |
I'm not sure to follow. Clients' code can set the |
@dunglas Yes but we have a system where we can not trust the client. User can just create his own request to mercure with the same JWT token he got from our system and not set Is it possible to request that we can control this private behavior with configuration? https://github.com/dunglas/mercure/blob/main/publish.go#L49 example like
We would like to enforce this value to true always for our usecase, so that client-to-client can only publish to the topics that are encoded in the |
Good idea to add a configuration option to only allow private updates. +1 on my side. This would also prevent mistake from programmers forgetting to set the flag. Still, I fail to understand the use case. Nothing can prevent a client to share the data it owns with another user (using another channel than Mercure if necessary). And in could any harm himself by doing so, as it already has the data. |
Our use case is pretty simple. We have a mercure we use as a ping service to show online state. A logged in account can send pings to other accounts on the same workspace through javascript (frontend). JWT's for mercure are produced by backend on page load. As such we would produce a jwt for the account
Now assume that a we have another account
By design Account Now in OUR frontend code we can set |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@mariuseliassen sorry for the long delay, but could you check if #620 fixes your issue, please? |
Mercure version:
0.13
Without the "private" flag on messages are being sent to subscriber even if topic is not in subscriber or publish allowed whitelist.
Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjdXJlIjp7InB1Ymxpc2giOlsiL3dvcmtzcGFjZXMvMTIzIl0sInN1YnNjcmliZSI6WyIvd29ya3NwYWNlcy8xMjMiXX19.bxyELLWxI60AUT1xC3OR0cU_62vRUV0WVyuj00EDWjs
Unauthorized is only thrown if "Private" is ticked.
This does not work well for client-to-client mercure applications as this can be overwritten by any client.
The text was updated successfully, but these errors were encountered: