-
Notifications
You must be signed in to change notification settings - Fork 5
Sign in
Aravind edited this page Jun 10, 2013
·
3 revisions
Security model: Authenticating (making sure that users are who they claim they are) is the responsibility of gateways, while authorization (checking that the user has the authority to perform the action) is handled by the core. When a gateway calls core.send(), the core will trust that the from field is correctly populated and it will not (cannot) attempt to verify this.
Sometimes, one gateway has to authenticate a user using another, e.g. the http gateway utilizing facebook login, which requires server-side verification by the facebook gateway. This is handled by sending nick messages with a special auth property.
In the scenario above, the authentication flow will be:
- the http gateway will use the facebook javascript SDK to obtain the current user's facebook ID and access token.
- the http gateway will call
core.send()with the message (guest-8374 is the temporary ID of the user)
{ type: nick, from: guest-8374, to: guest-8374, time: 139834782347823, auth: {
gateway: facebook, id: 'facebook:877398502', token: 'j83yydi...' } }- core.send() will call the facebook gateway's
auth()function with the id and token. - If the token is valid,
gateways.facebook.auth()will callcore.account(id)to get the room id (which doubles as the user id on scrollback) of that account. -
gateways.facebook.auth()returns to core.send() the id of an existing user, an authentication error, or an authenticated-but-new-user error. - In the first case,
core.send()will add areffield to the message (the nickname of the authenticated user) and route the message through 'following' and 'follower' relationships, and return the message to the original gateway (http). - The http gateway will update session and client-side javascript state to reflect the new nickname.
- Other gateways downstream will receive the nick message and react appropriately. For instance, the IRC gateway may send a /nick.
- In the error cases, the error will be returned to the original gateway (http), and the message is discarded.
- The http gateway will then display an authentication failed error or a sign up form.