Authorization on _INBOX.>

[ramasa]

We are using nats as a channel for JSON-RPC and exposed it to our client so that they can invoke our API using Message reply = nc.request("req.foo", request)
How do I prevent our client from subscribing to '_INBOX.>' and read other's response?

authorization {
CLIENT = {
publish = ["req.foo", "req.bar"]
subscribe = "_INBOX.>"
}

Only way I see now is to mimic NatsConnection.request method to use a custom inbox like _INBOX.clientid.*

and set client specific rule as below
authorization {
CLIENT1 = {
publish = ["req.foo", "req.bar"]
subscribe = "_INBOX.client1.>"
}

Exposing NatsConnection.INBOX_PREFIX might help?

[sasbury]

I am going to look at making that public, but had a thought about making it an option, not sure what the effect would be in the client, I will have to double check. What do you think about having that be settable?

[ramasa]

Not much familiar with client implementation but as a user below options comes to mind

1. io.nats.client.Options parameter
2. io.nats.client.Connection.request parameter
3. or generic way - by default use _INBOX.<username>. as prefix , where <username> is the authorized user?

One more clarification, Our customer use .NET client, should I raise this issue in nats-io/csharp-nats project also?