WebSocket URL change or authentication


#1

Hi everyone,

I am trying write an native android and ios app which use meteor for backend.

I am using this library for connect to meteor server : https://github.com/delight-im/Android-DDP

I am wondering about connect server websocket to another url. Let me explain about that ;

I can connect localserver with this line =

new Meteor(this, "ws://192.168.1.20:3000/websocket", new InMemoryDatabase());

but think about in deployment. For example; let assume my meteor application ip is ‘111.23.32.1’

and i can connect in android application with like this :

new Meteor(this, "ws://111.23.32.1/websocket", new InMemoryDatabase());

BUT anyone can connect my server and take my datas over DDP with this line.

Can i add authentication for “/websocket” URL or can i change “/websocket” URL?

I’m not talking about Meteor User Login method, i have an application which don’t need users login to see datas, I removed autopublish but i have to show all datas to all users. If i add autopublish, anyone whom know my server ip, will can take my datas.

How can i prevent this?

May i use subscription method with uniq id parameter, which given by my self?

Thanks.


#2

This might be useful:

Haven’t used it but it looks like you can register a callback that gets fired on a new connection. That callback gives you a single connection object that you can interrogate http headers. You can call the disconnect method on the same object to close the connection if your unique ID is not provided.

That’s all theory based only on my reading of the docs but it sounds workable to me.


#3

So your application doesn’t need user login, but it does need a secret apiKey? Isn’t this basically the same as login? Otherwise, if anyone can go to your app on a browser and get data, why is it any different that anyone would be able to do the same over the web-socket directly? The browser does that underneath with sock.js, if you look at the network calls. One solution as mentioned above is to catch your requests with something like meteorhacks:picker, and do some filtering.


#4

Thanks for reply.
I tried this method, its working, but continuously trying to reconnect server.


#5

Thanks for advice, you are right, i will remove autopublish and do subscribe system for prevent show datas to everyone, on the other hand. You mentioned about meteorhacks:picker, meteor already have it name is : WebApp package and its just for rest api. Can i handle “http://…/websocket” connection on server side like apiKey or parameter etc.? I want to direct connection to server for reactivity. I will give apiKey to selected user for connect my server with this key or uniq parameters in native applications.

Thanks


#6

I’m not an expert, but I think sock.js is actually served over http. I don’t think anything is stopping you from specifying a query parameter, which you can then use in your server-side request handler to accept/reject requests.

//client pseudocode
Websocket("http://yourip/websocket?apiSecret=yoursecret")

//server pseudocode
onRequest = (params, req, res) => {
  if (!params.query.apiSecret === "yoursecret"){
    res.end(404)
  }
}
server.listen(3000).onRequest(onRequest)

#7

Thanks for reply,
But there is a problem; “http://…/websocket” is not a url. It is like a gate for websocket connection and i can’t handle it in server side like this rest request :

`WebApp.connectHandlers.use(’/api/nameGet’, (req, res) => {
const name = asd.findOne({"_id" : req.query.id}, {
fields : {
_id : 0,
}
})

var json = JSON.stringify(name);
res.writeHead(200, {"Content-Type" : "application/json", "Size-of-Document" : json.length});
res.end(json);

})`


#8

I think that’s pretty standard DDP client behaviour. You could code your client to not try to reconnect on an error but that’s not the point since you want your clients to connect right? Not much you can do to force foreign clients to stop retrying