Skip to content

User access control

daredevildave edited this page Oct 23, 2012 · 13 revisions

When you create a server, you can specify an auth(agent, action) method. This method will be called anytime a user tries to do anything, and you can choose whether to accept or reject the attempted action.

The auth method gets access to the user agent, which is a persistent object assigned to each user for the duration of their session.

The auth method is specified in the options object when a server is created and can be for both authentication (is the user who they say they are) and authorization (is the user allowed to perform an action).

Here is an example of that checks the authentication of a user but will not allow them to delete documents

options =
  db:
    type:'memory'
  auth: (agent, action) ->
    if action.type == 'connect'
      # check user has valid authentication token
      if agent.authentication == '1234'
        action.accept()
      else
        action.reject()
    else if action.type == 'delete'
      # no users are allowed to delete
      action.reject()
    else
      # all other actions allowed
      action.accept()

server = connect(...)
sharejs.attach server, options
server.listen 8000

agent object

agent is an object which is uniquely associated with the client connection. The user agent object has the following fields:

  • authentication: String or object which is sent when the client connects, use this for authentication tokens.
  • headers: Dictionary of the client's HTTP headers. This is set when the client initially connects and is not updated. Header names are lowercase.
  • sessionId: A random string associated with the client session.
  • connectTime: A Date which says when the session was established
  • remoteAddress: The IP or hostname of the client
  • name: The user's name or identifier. Defaults to null. You should set this when a client connects.

The user agent object is kept for as long as the corresponding client stays connected. As a result, you can cache your own custom data in the object. For example, you could fetch a user's session cookie in the http headers. Look that up in your session database, then put their actual username in the agent object.

action object

action is an object which represents what the user is trying to do.

The most important fields of the action are action.accept() and action.reject(). Call accept() to allow the user's action and reject() to deny it.

auth must always call either accept or reject exactly one time!

Other fields:

  • name: The name of the action.
  • type: CRUD action type (create, read, update or delete. ... Or connect.. because I need that too.)
  • responded: true when either accept() or reject() has been called, false` until then.

Actions

Name Type Other fields Description
connect connect - A client is trying to connect. All the interesting information is in the user agent object. All clients will generate a connect request, even when their connection is not persistant.
create create docName, docType, meta Create a new document
get snapshot read docName Get a document snapshot
get ops read docName, start, end Get historical operations from start to end on the document. If end is null, the client is requesting all ops.
open read docName The client is opening a document. This will result in a stream of all applied operations. It may be used in conjunction with get ops. (This used to be called 'listen' in ShareJS 0.4)
submit op update docName, op, v, meta Apply op to docName at version v
delete delete docName Permanently delete the named document

Please try it out and file any bugs you find!

Clone this wiki locally