I want to create a private message system using NodeJS and websockets.
I was wondering what the best way is to create such system.
Is it better to create 1 nodeJS server and bind listen-event for each user, or should I create a unique port/server for each conversation between 2 users.
i.e.
conversation 1 (user1 & user2): port 8080
conversation 2 (user2 & user3): port 8081
conversation 3 (user1 & user3): port 8082
Is it better to create 1 nodeJS server and bind listen-event for each
user, or should I create a unique port/server for each conversation
between 2 users. i.e.
Neither.
You can easily create a private conversation between two users with one server listening on one port and allowing users to connect to the server and then identify which other user they want to have a private conversation with.
A user identifies themselves to the server with some sort of credential when they login and connect to the server. Your server then knows which user belongs to which connection.
The server can then facilitate a private conversation between any two users by simply allowing userA to pass messages to userB and vice/versa, but not allowing anyone else access to those messages. No private server per user is needed. No custom port is needed. You do need some sort of user authentication service so you can know which user is which with some appropriate level of credibility.
You can see some pieces of what you're asking about in this socket.io demo chat server.
Here's a more detailed description for how this works:
UserA connects to the server and identifies themselves.
UserB connects to the server and identifies themselves.
UserC connects to the server and identifies themselves.
UserA sends a message to the server instructing the server to send a private message to userC.
The server receives that message from UserA and forwards it on to UserC.
UserC receives the private message from userA.
The server does not store the message from UserA or ever send it to any other users (thus making it a private message).
UserC can then respond to UserA using the same mechanism.
Note: It is a requirement of pretty much any scheme that you have both user authentication and you have a user identifier. You will then also have to surface that in a user interface so that a given user can identify which currently connected user they wish to communicate with.
Related
I am writing a slashcommand with the Rocket.Chat.Apps-engine for my Rocket.Chat Server which exports the chat in the current room, creates a pdf and uploads this back into the room. I am using an own node server for the generation and upload. However, my bot-user does not have access to lets say direct chats, private rooms also not. One could invite the bot into every new private room, but the direct chat problem stays. Is there a ways to somehow use the Rest Api to write a message to such rooms? I am using access tokens for authorization.
So far I can read all the chats with the /api/v1/im.messages.others endpoint (also those my bot cannot access), now I need to have some endpoint or similar to write something to the rooms which my bot cannot see.
I have an Angular web application which let users watch other users' profiles.
Those profiles should show if the user is online or offline.
I need some advice on how the "online users list" should be stored.
Should I use WebSockets communication to detect user connect and disconnect and base on that add/remove him from the list? Or either send HTTP request to the server when application is created on the user's browser (NgOnInit) on AppComponent and when user leaves (NgOnDestroy) on AppComponent?
Thanks.
I am working on an application that requires communication via email with the user and the client for whom the application is being developed.
Basically the flow is thus :
Program Does Something
Program sends an email detailing if it worked or not to the user and my client
We have established a Gmail account to make this happen. Unfortunately my clients users are multinational and Gmail freaked out and started blocking users, which started throwing exceptions when they were trying to use the program.
In the emails I saw when I checked the account, I saw I see at least two of these emails that say "Suspicious sign in prevented", and there was a red bar that said multiple attempts were tried to sign in and asked if it was me, and there were points all over the world.
How would I go about making it so that Gmail doesn't freak out when it sees users trying to sign in all over the planet?
Isn't sending through a some kind of a server application not an option? I.e. instead of making SMTP connection from your end user app directly to Gmail server your app sends a request to your web server which does actual SMTP connection. This way you'll also eliminate issues when SMTP ports are blocked on end users' machines.
For a startup considering making public notifications intended for website users available via a Pusher channel, how do you prevent people from subscribing to that channel for a long period of time (camping essentially)? I know you can disconnect users after a period of inactivity if they are connected from a web client (by checking for activity on the client and sending a disconnect after a period of inactivity), but what if users decide to connect via a command-line app or something similar?
Pusher provides private channels where the subscription to those channels need to be signed using your application secret in order for the subscription to be allowed.
Given the command-line app example you've provided the author of that application would not know the application secret and would therefore not be able to subscribe to the private channel.
We have a WMQ - WAS/JMS client setup through server connection channels where we are trying to put in security through user Ids.
Now, we set up a local user id on the MQ box, mquserid, and left the channel's MCAUSER blank.
We thought: the id running the MQ client (WAS in our case) wasuserid, when passed to MQ will fail as it is not setup on MQ box. So we shall then set up JAAS alias (with User Id: mquserid) for the Queue connection factory on WAS which will then be passed to MQ and will allow connections.
But, we are able to connect and put messages without the JAAS alias :(
I wrote a standalone Java program to connect to QMs and it is behaving correctly depending on the user Id I pass when obtaining connection.
Does WMQ treat WAS in a special way allowing connections without checking against its local user registry?
No, WAS is treated like any other connection.
In version 6 and earlier of WAS it will send a blank ID if the user ID on the WMQ connection is not specified. You can tell if this is the case by looking at the channel status while WAS is connected. The MCAUSER of the running channel will contain the ID that was used to connect. If the running channel status shows no MCAUSER value then WAS did not present an ID.
The other possibility is that the SVRCONN channel definition (not status) has a value such as mqm in the MCAUSER. In this case, the ID presented during the connection request is ignored. Again, check the channel status to see what ID is being used at run time or just check the SVRCONN channel definition to look for an MCAUSER value.
Now here's the kicker - if the channel's MCAUSER is blank then WMQ will accept whatever ID is presented. If no ID is presented, then the connected app or user runs as an administrator. If an app or user can be a WMQ administrator then they can do anything on the QMgr and can also remotely execute arbitrary OS commands on the server under the QMgr. Not good.
The correct answer is to set the MCAUSER on the channel to whatever value the app is supposed to connect as. At this point, the app cannot use any other ID because the channel will override it. However, anyone can connect to that channel so the next step is to authenticate the connection request. You can use an exit like BlockIP2 which is free or MQAUSX which is a commercial vendor product. BlockIP2 will filter incoming requests by IP address which may be sufficient for connections arriving from a static IP in a locked datacenter. MQAUSX will actually check the UserID and password sent during the connection request from WAS (or any client, for that matter). You can also use SSL and the channel's SSLPEER attribute to authenticate requests using X.509 certs. Note that if you use MQAUSX to validate a user ID and password either use SSL encryption with it or use both the client-side and server-side versions of the exit. Otherwise your credentials are flowed in cleartext over the wire which defeats the purpose.
Of course, if you secure the app's channel it's necessary to secure the other channels on the host such as SYSTEM.DEF.* and SYSTEM.AUTO.* or else an attacker will simply bypass the app channel.
Note that if the RCVR, RQSTR and CLUSRCVR channels do not authenticate requests or contain an MCAUSER value they also expose admin access. For example, if I want to control your QMgr and you locked the SVRCONN channels, I'd create a QMgr on my desktop, delete my SYSTEM.DEF.RECEIVER, create a new SDR channel called SYSTEM.DEF.RCVR and point it at yout QMgr. If your SYSTEM.DEF.RCVR (or S.D.RQSTR or S.D.CLUSRCVR) or any other of these channel types that you have defined lack SSL or an exit then I can connect and if they lcak an MCAUER then I can administer the QMgr anonymously and execute OS commands.
Any channel definition without an MCAUSER value allows administrative access.
Any channel without SSL/SSLPEER and/or an exit allows anonymous connections.
For more on this, please see the WMQ Hardening presentation and WMQ Security Lab documents at https://t-rob.net/links. Also, please see the articles on SSL and other WMQ security topics in the Mission:Messaging column on IBM developerWorks Tech Journal.