You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current SSE endpoint implementation (/stream) lacks user authentication.
Instead of authentication by user, a filter by message is used. And that's fine, but it's message-by-message authentication. The request is not authenticated/authorized.
Current implementation flaws:
The client can connect with the wrong credentials. It just doesn't get any events. Why? No one knows, the client is just in a "connected" state.
A connection can be opened by an anonymous client. A bad agent can open millions of sse endpoint connections. This causes free ports to run out. Valid clients cannot connect.
Proposed solution:
Add feature to an upstream express-bff package: ability to set onConnect callback. Check authentication in this callback. Close connection for unauthenticated/unauthorized users.
The text was updated successfully, but these errors were encountered:
The current SSE endpoint implementation (
/stream) lacks user authentication.Instead of authentication by user, a filter by message is used. And that's fine, but it's message-by-message authentication. The request is not authenticated/authorized.
Current implementation flaws:
The client can connect with the wrong credentials. It just doesn't get any events. Why? No one knows, the client is just in a "connected" state.
A connection can be opened by an anonymous client. A bad agent can open millions of sse endpoint connections. This causes free ports to run out. Valid clients cannot connect.
Proposed solution:
Add feature to an upstream
express-bffpackage: ability to setonConnectcallback. Check authentication in this callback. Close connection for unauthenticated/unauthorized users.The text was updated successfully, but these errors were encountered: