How do I "setup" a session.

[julienmachon]

Hi,

First of all, thanks for your work, you are making access control look easy. I have a major issue though.

The 3rd argument of each function is session. The documentation only says session - your connect session but this is empty for me on read, and for a write operation for example, it is the content of op, sent by the client using doc.submitOp(op).

I need to protect resources behind roles using JWT so I guess my question is "how do I setup a session". I've looked on the ShareDB documentation, but nothing is mentioned.

If you could point me out to the right direction, I'd be grateful.

Thanks

[minicuper]

We use https://github.com/derbyparty/racer-highway as transport. It does everything for us.

[julienmachon]

Ok, so based on this #6 (comment) and looking at the source code, I had to create a middleware that, on connect, sets a connectSession object in the agent object of the request. Something like:

sharedb.use('connect', (request, next) => {
  request.agent.connectSession = { userId: 123 };
  next();
});

This is key information and I think it should be added to the documentation. Happy to create a PR for it if that helps?

One more thing; getting the necessary information in the request object involves passing a second argument to sharedb.listen(ws, myRequestWIthSessionMetadata). That second argument isn't documented in the shareDB REAME either. So I'll suggest a PR to them as well.

Hope this comment ill be helpful for others

Thanks

Julien

[sagacitysite]

Thx @julienmachon that really helped me!

Just to complete this with the websocket stuff for the case someone searches for a 'full' solution. It is possible to use a cookie, which is directly send to the connection request of the socket. In my case the authentication (and the user id) is stored in local storage, so I it was necessary to find a way to hand the user ID all the way from the client to the server socket, then to sharedb and finally to sharedb-access.

So, on client you can set the user id using a query parameter as follows:

var socket = new WebSocket('wss://example.com/socket?userId='+userId);

On the server you can take it from the url and hand it over to the ShareDB backend:

wss.on('connection', function(ws, req) {
	// Get userId from client request
	var userId = req.url.split("?userId=")[1];
	
	var stream = new WebSocketJSONStream(ws);

	// Let backend listen to stream, also hand over userId
	sharedb.listen(stream, { 'userId': userId });
});

Afterwards the middleware can be used to store it in session:

sharedb.use('connect', (request, next) => {
	if (!_.isUndefined(request.req))
		request.agent.connectSession = { 'userId': request.req.userId };
	next();
});

Now it can be used in sharedb-access:

sharedb.allowUpdate('docs', function(docId, oldDoc, newDoc, ops, session) {
	console.log(session.userId);
	return true;
});

[ihsanciftci]

Thx @julienmachon that really helped me!

So, on client you can set the user id using a query parameter as follows:

var socket = new WebSocket('wss://example.com/socket?userId='+userId);

On the server you can take it from the url and hand it over to the ShareDB backend:

wss.on('connection', function(ws, req) {
	// Get userId from client request
	var userId = req.url.split("?userId=")[1];
	
	var stream = new WebSocketJSONStream(ws);

	// Let backend listen to stream, also hand over userId
	sharedb.listen(stream, { 'userId': userId });
});

How do you verify that user is real user with given id?
There should be a session cookie or jwt token (in my case a jwt token) that verifies the user has given id.
Any malicious client can send an id which is not belonging to her.