-
-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Periodic reauthentication #752
Comments
you can use
|
That wouldn't work for us, unfortunately. We have short-lived access tokens stored in the user's session cookie and we need to refresh those and update the cookie, which requires some participation of the provider rather than just doing it in the server. Our |
I think @solirpa's solution would work for me, but having a re-auth period as a configuration option would feel a bit cleaner |
In order to re-evaluate the permissions of a user before applying a message, you can use the I'll keep this open to track progress on resending authentication information from the provider side, which we currently don't officially support. |
In case the process to re-evaluate the permissions of each user while is using editing the doc is fetching a record in a relational database (or course, a future improvement would be to replicate this in something like Redis), which hook would you recommend @janthurau ? Separate question, depending of which hook is used, if the check passes nothing happens, but if the user is no longer authorized to read-write that doc, an error is returned to the client side, and I guess the connection is closed in the provider? And then how can this be handled in the client side? In which listener this error is received? |
You can use stateless messages to send newly issued tokens(by your API) from the client to the server via the socket. The token can be persisted/associated with the connection on the server side and then used to apply/discard updates or even drop the connection when needed. |
@p1nox stumbled across this ticket b/c we're trying to periodically re-authenticate too. Our approach was to use |
Now this logic is sorely lacking, there is only one output, invoke disconnect on server 🙁 Ideally, I need
|
The problem I am facing
We check that the user is authorized to edit the document during the initial authentication handshake. But if the user's access is revoked while they have a connection open, they can continue to edit the document until they reconnect.
The solution I would like
I would like the server to keep track of the last time it received an authentication message, to be able to configure a timeout after which a client who has not reauthenticated would be disconnected, and to be able to configure the provider to reauthenticate on a given interval.
The text was updated successfully, but these errors were encountered: