-
-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication and authorization #268
Comments
Oh nice, it would be great to add them to the README ;) |
Have just setup a basic wiki where we can maybe start collecting together info like this from users? Please feel free to move/add anything there that you think others might find handy. And that way no need to wait for me to merge, etc. Cheers :-) |
I read through all of the suggested docs and I still don't understand how I should handle authentication, what the lifecycle for uid/sessions are and during what event I should assign or check them. Do I need to wrap sente routes with Is there a full example somewhere? Would appreciate it. |
I've read all the discussions in the issues about authorization and authentication. Here's my current understanding.
server to identify uniquely a client which has passed the login test.
flag. This is vulnerable to client-side manipulation and is not a true
authentication procedure.
:uid
tag by which Senteidentifies a client to enable server-side pushing. After authentication,
simply set the
:uid
tag.:uid
for two purposes, which is efficient. Thereafter Sente checks for the:uid
anyway. However this method doesn't allow token timeout, and the Buddylibrary expects the token to live in
:identity
.:identity
or with:uid
should be encrypted in some special way. If not we are essentiallychecking for the mere existence of the token, whatever it is.
:identity
then we also get the Buddyfunctions. As long as Sente passes the normal Ring session back and forth over the web sockets,
then we can set and pass tokens on client and server sides in the normal
Buddy way. It seems this is preferable to duplicating security functionality
to work with Sente. And this is why Sente is or can be orthogonal to Buddy/Friend.
How does that sound, especially 5?
One more follow up question.
In #173 it's pointed out that we can use a
params
option when creating a channel socket. If I use that, should I be starting the router with the:params
option, sending my authorization request, and then close the router?I would then run
(sente/start-chsk-router! ch-chsk event-msg-handler*)
again for a specific future request, without the:params
.The text was updated successfully, but these errors were encountered: