-
Notifications
You must be signed in to change notification settings - Fork 454
User access control
When you create a server, you can specify an auth(agent, action) method. This method will be called anytime a user tries to do anything, and you can choose whether to accept or reject the attempted action.
The auth method gets access to the user agent, which is a persistent object assigned to each user for the duration of their session.
The auth method is specified in the options object when a server is created and can be for both authentication (is the user who they say they are) and authorization (is the user allowed to perform an action).
Here is an example of that checks the authentication of a user but will not allow them to delete documents
options =
db:
type:'memory'
auth: (agent, action) ->
if action.type == 'connect'
# check user has valid authentication token
if agent.authentication == '1234'
action.accept()
else
action.reject()
else if action.type == 'delete'
# no users are allowed to delete
action.reject()
else
# all other actions allowed
action.accept()
server = connect(...)
sharejs.attach server, options
server.listen 8000On the client you code might look like this
options =
# This could be a string or an object
authentication: '1234'
sharejs.open 'hello', 'text', options, (error, doc) ->
if error
# handle error
else
# use docagent is an object which is uniquely associated with the client connection. The user agent object has the following fields:
-
authentication: String or object which is sent when the client connects, use this for authentication tokens. -
headers: Dictionary of the client's HTTP headers. This is set when the client initially connects and is not updated. Header names are lowercase. -
sessionId: A random string associated with the client session. -
connectTime: A Date which says when the session was established -
remoteAddress: The IP or hostname of the client -
name: The user's name or identifier. Defaults tonull. You should set this when a client connects.
The user agent object is kept for as long as the corresponding client stays connected. As a result, you can cache your own custom data in the object. For example, you could fetch a user's session cookie in the http headers. Look that up in your session database, then put their actual username in the agent object.
action is an object which represents what the user is trying to do.
The most important fields of the action are action.accept() and action.reject(). Call accept() to allow the user's action and reject() to deny it.
authmust always call eitheracceptorrejectexactly one time!
Other fields:
-
name: The name of the action. -
type: CRUD action type (create,read,updateordelete. ... Orconnect.. because I need that too.) -
responded:truewhen eitheraccept()orreject()has been called,falseuntil then.
| Name | Type | Other fields | Description |
|---|---|---|---|
connect |
connect |
- | A client is trying to connect. All the interesting information is in the user agent object. All clients will generate a connect request, even when their connection is not persistant. |
create |
create |
docName, docType, meta
|
Create a new document |
get snapshot |
read |
docName |
Get a document snapshot |
get ops |
read |
docName, start, end
|
Get historical operations from start to end on the document. If end is null, the client is requesting all ops. |
open |
read |
docName |
The client is opening a document. This will result in a stream of all applied operations. It may be used in conjunction with get ops. (This used to be called 'listen' in ShareJS 0.4) |
submit op |
update |
docName, op, v, meta
|
Apply op to docName at version v
|
delete |
delete |
docName |
Permanently delete the named document |
Please try it out and file any bugs you find!