stackoom
  简体   繁体   中英

How can I securely implement a notification system using socket?

 原文  2017-11-14 14:06:56       node.js/ mongodb/ sockets/ redis/ notifications

Question

I am currently working on a web application using the MEAN stack. It has a social aspect to it so I want to be able to push notifications to users.

The way I do it now is when something happens that should be a notification it gets stored in a mongo database with an unread flag. Each client will send a get request to the server every 30 second and will receive every notification marked as unread, and will then mark it as read.

I want to switch to using a message queue and sockets so less network resources will be used, and also provide the user with a real-time experience. I've thought about using redis and its pubsub structure but I can't seem to figure out how to do this securely. If I push out notifications to the affected users, won't it be easy for someone malicious to subscribe to somebody else's channel and receive notifications not meant for them? Am I missing something or is it just the wrong approach for such a system?

Edit: Figure I update with the solution I went with if anyone else reading this is having the same problem.

Instead of using rabbitmq, as the answer suggested, I figured that a much more easy and elegant solution is to just use socket.io. When new sockets connects to the server I save a mapping from the userID to the socketId in a redis in-memory DB. (After I've validated their token) That way, if I need to push a notification to a user I just look up the socketId in the redis DB, and then send it to the correct socket. This way I don't need any security beyond that as socketIDs are unguessable, and the message is only sent across the single socket that belongs to the given user.

This way it will only get sent through the connection of the given socket, as socketIDs are only used server side to keep track of all the connection. This means no one else can "listen" using someone else's socketID.

1 answers

solution1
 1 ACCPTED  2017-11-14 14:17:15

you can use RabbitMQ for this. Also authentication is there. Please go through following link and try.

https://www.rabbitmq.com/access-control.html

also, you can apply authentication in existing structure using subscription auth tokens with all subscribed users only. even redis has its security with topics. Please have a look in link below

https://redis.io/topics/security

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Implement notification system using node.js,express,socket How to implement notification system in nodejs? How to add notification system in chat app using socket.io.? Notification system using socket.io How to implement a notification system for real time updates? How can I connect to API securely? How can I implement socket.IO with Cloud Functions? How to implement room to room file sharing system using socket.io and nodejs larger than 1mb? How can I securely store the IP address, username and password of a database using Node.js? How can I run user code securely in nodejs using VM without being vulnerable to attacks
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM