Added an allowed connection type filter for users #1594
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Users and NKey users will now have the option to specify a list of allowed connection types. This will allow for instance a certain user to be allowed to connect as a standard NATS client, but not as Websocket, or vice-versa. This also fixes the websocket auth override. Indeed, with the original behavior, the websocket users would have been bound to $G, which would not work when there are accounts defined, since when that is the case, no app can connect/bind to $G account. Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
kozlovic
force-pushed
the
fix_websocket_auth
branch
from
b4d7de5
to
7ccbaca
Compare
kozlovic
changed the title
|
@derekcollison I have completely changed the approach with a list of connection types allowed for given user/nkey. We updated the JWT library to provide this new field in the JWT and some constants. |
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
|
@matthiashanel Thanks for that because it made me realize that in the case of JWT coming with an unknown type, we should not automatically fail the connection. See the big comment that I added in auth.go and let me know if you agree or not. |
We were doing option validation from options parsing, but added it also for Users/NKeyUsers options. Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
|
@matthiashanel Sorry, I added yet another commit: do validation of options for users that embed NATS Server in their app and would configure Users/NKeys directly. (I will squash all those commits at time of merge) |
This was referenced Mar 15, 2021
Closed
Merged
Closed
Closed
This was referenced Mar 15, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Users and NKey users will now have the option to specify a list
of allowed connection types.
This will allow for instance a certain user to be allowed to
connect as a standard NATS client, but not as Websocket, or
vice-versa.
This also fixes the websocket auth override. Indeed, with
the original behavior, the websocket users would have been bound
to $G, which would not work when there are accounts defined, since
when that is the case, no app can connect/bind to $G account.
Signed-off-by: Ivan Kozlovic ivan@synadia.com