cannnot subscribe with access mode

[gabriel-vasile]

to reproduce:

• 2 users
• user A creates a group with
  Default access mode:
  Auth: JRWPASD
  Anon: N
• user B tries to subscribe to the group with an access mode:
  {"sub":{"id":"122019","topic":"grpglXHsm2f9tc","set":{"sub":{"mode":"JRP"}},"get":{"data":{"limit":24},"what":"data sub desc"}}}

expected: user B joins the group successfully and has access mode JRP
got: topic[grpglXHsm2f9tc] subscription failed subscription rejected due to permissions

asLvl is 0 here when user B subs:

chat/server/topic.go

Line 1363 in 65efc3e

asLvl := auth.Level(pkt.AuthLvl)

[or-else]

Please attach the server-side and client-side logs.

[gabriel-vasile]

user A:

tinode        | 2022/03/29 07:57:34 ws: session started nWImM_nmdyg 172.21.0.1:45504 1
tinode        | 2022/03/29 07:57:34 in: '{"hi":{"id":"101521","ver":"0.18.3","ua":"TinodeWeb/0.18.3 (Firefox/95.0; Linux x86_64); tinodejs/0.18.3","lang":"en-US","platf":"web"}}' sid='nWImM_nmdyg' uid=''
tinode        | 2022/03/29 07:57:34 in: '{"login":{"id":"101522","scheme":"sch","secret":"secre<...>' sid='nWImM_nmdyg' uid=''
tinode        | 2022/03/29 07:57:39 in: '{"sub":{"id":"101523","topic":"me","get":{"what":"sub desc tags cred"}}}' sid='nWImM_nmdyg' uid='Xjxeeayxo70'
tinode        | 2022/03/29 07:57:39 in: '{"sub":{"id":"101524","topic":"grpglXHsm2f9tc","get":{"what":"sub desc"}}}' sid='nWImM_nmdyg' uid='Xjxeeayxo70'
tinode        | 2022/03/29 07:57:41 in: '{"sub":{"id":"101525","topic":"fnd","get":{"what":"sub"}}}' sid='nWImM_nmdyg' uid='Xjxeeayxo70'
tinode        | 2022/03/29 07:57:59 in: '{"leave":{"id":"101527","topic":"grpglXHsm2f9tc"}}' sid='nWImM_nmdyg' uid='Xjxeeayxo70'
tinode        | 2022/03/29 07:57:59 in: '{"sub":{"id":"101528","topic":"new101526","set":{"desc":{"public":{"fn":"test sub with acc mode","note":"␡"}}},"get":{"data":{"limit":24},"what":"data sub desc"}}}' sid='nWImM_nmdyg' uid='Xjxeeayxo70'

user B:

tinode        | 2022/03/29 08:00:09 ws: session started TCCIa40zvs8 172.21.0.1:45592 2
tinode        | 2022/03/29 08:00:09 in: '{"hi":{"id":"112854","ver":"0.18.3","ua":"TinodeWeb/0.18.3 (Firefox/95.0; Linux x86_64); tinodejs/0.18.3","lang":"en-US","platf":"web"}}' sid='TCCIa40zvs8' uid=''
tinode        | 2022/03/29 08:00:09 in: '{"login":{"id":"112855","scheme":"sch","secret":"secre<...>' sid='TCCIa40zvs8' uid=''
tinode        | 2022/03/29 08:00:14 in: '{"sub":{"id":"112856","topic":"me","get":{"what":"sub desc data"}}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:14 in: '{"sub":{"id":"112857","topic":"fnd"}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:14 in: '{"set":{"id":"112858","topic":"fnd","desc":{"public":"_type=grp&_query=&_topics=grpglXHsm2f9tc"}}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:14 in: '{"get":{"id":"112859","topic":"fnd","what":"sub"}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:14 in: '{"leave":{"id":"112860","topic":"fnd"}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:23 in: '{"sub":{"id":"112861","topic":"fnd"}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:23 in: '{"set":{"id":"112862","topic":"fnd","desc":{"public":"_type=grp&_query=&_topics="}}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:23 in: '{"get":{"id":"112863","topic":"fnd","what":"sub"}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:23 in: '{"leave":{"id":"112864","topic":"fnd"}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:28 in: '{"sub":{"id":"112865","topic":"grphyQeaKeBSso","set":{"sub":{"mode":"JRP"}},"get":{"data":{"limit":24},"what":"data sub desc"}}}' sid='TCCIa40zvs8' uid='ZjGgtungZVU'
tinode        | 2022/03/29 08:00:28 topic[grphyQeaKeBSso] subscription failed subscription rejected due to permissions, sid=TCCIa40zvs8

Again, to reproduce, just sub to group and ask for any access mode other than the default access mode.

[or-else]

I cannot reproduce:

[02:29:49.021] out: {"sub":{"id":"102361","topic":"grpGOZmMsRbMWQ","set":{"sub":{"mode":"JRP"}},"get":{"data":{"limit":24},"what":"data sub desc"}}} 
[02:29:49.035] in: {"ctrl":{"id":"102361","topic":"grpGOZmMsRbMWQ","params":{"acs":{"mode":"JRP","given":"JRWPS","want":"JRP"}},"code":200,"text":"ok","ts":"2022-03-31T02:29:49.022Z"}} 

[or-else]

I suspect your previously subscribed to this topic.

[or-else]

asLvl is 0 here when user B subs:

You are probably using your own gRPC client.

[gabriel-vasile]

I did some more tests and I'm not sure if i found another issue or it is the same. It seems to have something to do with gRPC plugins.

To reproduce the problem:

1. create a gRPC plugin which returns pbx.RespCode_REPLACE and the original, unaltered client msg. As I understand from doc comments, this plugin should have no effect on the functionality of the server.

package dummy_plg
import (
	"context"
	"net"

	"github.com/tinode/chat/pbx"
	"google.golang.org/grpc"
)
func main() {
	lis, err := net.Listen("tcp", ":40051")
	if err != nil {
		panic(err)
	}
	s := grpc.NewServer()

	pbx.RegisterPluginServer(s, handler{})
	if err := s.Serve(lis); err != nil {
               panic(err)
        }
}
type handler struct {
	pbx.UnimplementedPluginServer
}
func (h handler) FireHose(c context.Context, r *pbx.ClientReq) (*pbx.ServerResp, error) {
	return &pbx.ServerResp{Status: pbx.RespCode_REPLACE, Clmsg: r.Msg}, nil
}

tinode.conf

	"plugins": [
		{
			"enabled": true,
			"name": "dummy_plg",
			"timeout": 200000,
			"filters": {
				"fire_hose": "pub,sub,get,set"
			},
			"failure_code": 0,
			"failure_text": null,
			"service_addr": "tcp://localhost:40051"
		}
	],

2. login in webapp, sub to someone, send messages, etc.

expected: everything works as if the plugin was not there
got: tinode | 2022/04/01 09:58:56 s.dispatch: authentication required AsOyMHwbiMk

server logs:

tinode        | 2022/04/01 10:06:37 ws: session started hag0AaSGAeE 172.27.0.1:52878 1
tinode        | 2022/04/01 10:06:37 in: '{"hi":{"id":"116803","ver":"0.18.3","ua":"tinodejs/0.18.3","lang":"en-US","platf":"web"}}' sid='hag0AaSGAeE' uid=''
tinode        | 2022/04/01 10:06:37 in: '{"login":{"id":"116804","scheme":"basic","secret":"secret' sid='hag0AaSGAeE' uid=''
tinode        | 2022/04/01 10:06:41 in: '{"sub":{"id":"116805","topic":"me","get":{"what":"sub desc tags cred"}}}' sid='hag0AaSGAeE' uid='FfD0YCfLURI'
tinode        | 2022/04/01 10:06:41 s.dispatch: authentication required hag0AaSGAeE

[gabriel-vasile]

To fix the problem with authentication required and get to the original reported problem subscription failed subscription rejected due to permissions, inside plugin FireHose method I can add this:

func (h handler) FireHose(c context.Context, r *pbx.ClientReq) (*pbx.ServerResp, error) {
       if r.Msg.Extra == nil {
               r.Msg.Extra = &pbx.ClientExtra{}
       }
       r.Msg.Extra.OnBehalfOf = r.Sess.UserId
       return &pbx.ServerResp{Status: pbx.RespCode_REPLACE, Clmsg: r.Msg}, nil
}

[or-else]

I believe 1fc9699 should fix it. Please verify.

[gabriel-vasile]

Seems fixed, thanks.

[or-else]

released in https://github.com/tinode/chat/releases/tag/v0.18.4