allow an admin to set 'no authtoken for anonymous users' in the UI or settings.php.

modify js in brower to check the setting and not send authtoken.

modify node.js server script to allow connections without an authtoken.

CommentFileSizeAuthor
#9 nodejs-anonymous-1428612-9.patch588 bytesjoelstein
#8 nodejs-anonymous-1428612-8.patch991 bytesjoelstein
#5 nodejs-anon-session-1428612-5.patch646 bytesmoehac
#1 nodejs-anon-session-1428612-1.patch2.21 KBjwalz

Comments

jwalz’s picture

jwalz commented
Category: feature » bug
Priority: Normal » Major
Status: Active » Needs review
StatusFileSize
new nodejs-anon-session-1428612-1.patch2.21 KB

I'm changing the category/priority of this issue as it has more implications than just the auth token. Specifically, this creates a session for anonymous users which can cause caching issues (For me, I'm running into the problem with varnish).

There may be a cleaner way to do this, but I needed a fix right away. All I've done is define a specific token that anon users will use to avoid the need for a session.

moehac’s picture

moehac commented

Same issue with having Varnish as proxy. This patch worked.

Anonymous’s picture

Anonymous (not verified) commented
Title: socket connections that don't require an authtoken » public channels and non-authenticated sockets

i think we're taking the wrong approach here, and it seems past-me was also wrong. i do see the use case - creating public channels and allowing access without ever involving drupal and starting a session. some thoughts below.

as it stands now, all access control is handled by drupal. a socket connects with an authtoken, we send that to drupal, and drupal tells server.js what that socket can see.

if we don't have an authtoken which we pass to drupal, how do we decide what that socket has access to? we absolutely don't want to give non-authenticated sockets access to data based on input server.js receives from those sockets.

so, i think we need to implement drupal-controlled public channels. these channels are explicitly public - no access control at all. anyone on the internet can connect to your server.js process and start listening in on whatever is sent to that channel. i'm belabouring the point a bit to make it very, very clear that there is no access control on these channels.

then, we need a global 'allow non-authenticated sockets' switch for server.js. when set, if a socket is created without an authtoken, it is simply subscribed to any 'public' channels.

does that make sense? patches welcome...

Anonymous’s picture

Anonymous (not verified) commented
Category: bug » feature
Status: Needs review » Active
moehac’s picture

moehac commented
Issue summary: View changes
StatusFileSize
new nodejs-anon-session-1428612-5.patch646 bytes

In order to make public channels work for us, in addition to patch #1 (due to caching issues), I also changed the nodejs client-manager.js script to also look for 'sessionId' in preAuthSockets if the message contains a certain parameter. It's not the best way (I'm sure), but at least via Drupal we can control what is available for everyone to see by controlling this parameter's value.

I'm using drupal-node.js@1.0.9.

We use svn, so I'm attaching the patch as a file.

socialnicheguru’s picture

socialnicheguru commented
Status: Active » Needs review

so is this for the newest version? lib/client-manager.js is not in the newest version of the module

moehac’s picture

moehac commented

@SocialNicheGuru, lib/client-manager.js is part of the npm package here: https://www.npmjs.com/package/drupal-node.js, it's not part of the Drupal module.

joelstein’s picture

joelstein commented
Version: 7.x-1.x-dev » 8.x-1.x-dev
StatusFileSize
new nodejs-anonymous-1428612-8.patch991 bytes

We also needed a way to integrate Node.js with anonymous users, and the approach from the first patch posted here worked well for us. Here's the Drupal 8 equivalent. I also changed the auth token to "anonymous_user".

joelstein’s picture

joelstein commented
StatusFileSize
new nodejs-anonymous-1428612-9.patch588 bytes

After further testing, it seems the patch I posted in #8 prevents authenticated users from receiving the "nodejs_user_UID" token.

This new patch seems to work better for both authenticated and anonymous users.