Been researching heaps and making no progress :(
Trying to set up a small web app using VB in VS 2013.
I have added all the SignalR resources to my project.
Each logged in client has a UserID in my database.
I want to invoke a SignalR message to certain UserID's from server-side code, not client-side. Firstly, is this possible? (it was possible using ReverseAJAX, but I have chosen not to use that)
If it is possible, how do I go about setting up the SignalR Hub to allow me to send a message using a UserID? I don't need help with the SQL, I can do that my self.
Also, what javascript do I need to persist the request? I'm guessing I will need the UserID somewhere in this piece of code.
Thanks heaps.
This is very possible. If you look here
http://www.asp.net/signalr/overview/signalr-20/hubs-api/hubs-api-guide-server#callfromoutsidehub
you will find a section on "Single User Groups". This is the mechanism available in version 2 to send a message to a single User Id. Essentially when a Connection is established you add the User Id to a "group" which can be accessed by Group Name (syn. User Id) without having to worry about persisting the relationship of a connection id to a user id yourself. The only limitation would be if more than 1 connection is established by the same user, all devices with that user would be in the same group and would therefore receive any messages sent to it...
There is also another section on how to retain the instance of your SignalR context on the web server to make calls out to clients (How to call client methods and manage groups from outside the Hub class)
I did read something about the SignalR team creating User Id methods but I have used the above approach with fair success and haven't looked much further into that.
Hope this helps
As #Pepto mentioned, here it is described how you can get a reference to your hub, and then use it in your server code.
An easy way to invoke a client-side function for a specific user, would be to use Clients.User("Username") in your hub.
Intellisense will tell you that User() wants an ID as a parameter, but you should pass the username of the user, whose function you want to invoke, not his ID.
Related
I am new to web development, but I am building a tool to help us visualize the customers in our database in a more concrete way (basically a CRM of sorts). Its a web app using a node.js backend and Vue.js for the front end.
THE BIG QUESTION - I found a connection.threadId query that can be run. If I save this threadID in a cooke or JSON web token, can I use this to have each user uniquely querying the database? If you need additional information on my issue, continue reading.
Essentially the problem I am running into is authentication. We were able to get a dummy user create that has read only privileges to the database, but this doesnt help the account management team. I am trying to find a way for them to be able to login with their own credentials and then be able to run queries from my node.js (javascript) backend using a series of get and post requests.
I am able to get the user to login with the SQL password and they can run the initial query (that fires upon login) but they then cannot re-query the database if someone else logs in after them (I realized that my variables were all globally scoped on the server.) I then moved everything client side in JSON web tokens, but I had to hash the database password to be safe which leaves me with another problem. My hash and the original database hash do not match, and that is not something I'll ever get access to. Not really sure where else to go with this at this point.
Please ask if you need any additional information to assist.
Thanks!
You probably can't.
You also probably shouldn't use variables on the SQL server for a web app like this. If you can refactor those into variables you can schlep around in the user session (or POST parameters or whatever), you're much better off, being more stateless (as far as the server components are concerned) and all too.
I'm trying to make a user log in just once, and have his information on all the servers. Any changes made to the user's information will instantly be available for all servers. Is this possible to do without having each user "log in" separately for each server?
Sort of like the $_SESSION for php, but for Node.js
Design 1 -
What I think would be best to do, but don't know how to share socket data between servers, perhaps using something like PHP's $_SESSION?
Design 2 -
What I'm currently doing:
User uses socket.emit to main.js
main.js adds user information onto the emit
main.js emits to the appropriate server
Appropriate server emits back to main.js
main.js finally emits back to user
This seems awfully inefficient and feels wrong
If your information is primarily static, you can try something similar to JWT. These are cryptographically signed tokens that your authenticating server can provide and the user can carry around. This token may contain information about the user that you want each server to have available without having the user accessing it.
If it's not, you may be looking into sharing a database across all servers, and have that be the point of synchronization between them.
Updates based on our comments (so they can be removed later):
If you decide to use auto-contained JWT tokens, you don't need to be making trips to the database at all. These tokens will contain all the information required, but it will be transparent to the end user that won't have insight into their contents.
Also, once you understand the JWT standard, you don't necessarily have to work with JSON objects, since it is just the serialization approach that you can switch by another one.
You'd provide one of these tokens to your user on authentication (or whenever required), and then you'd require that user to provide that token to the other servers when requesting information or behavior from them. The token will become your synchronization approach.
I am trying to implement client to client messaging in my app, using socket.io, and node.js and Android.
I searched a little, and found a lot of tutorials, explaining how to deal with targetting specific client when sending messages through socket.io socket.
Send message to specific client with socket.io and node.js
The solution is almost always the same : Creating a hashmap object, linking user info such as its username, email address (or anything unique allowing to identify it), with its socketid.
Then calling io.clients[sessionID].send()
Now I have two questions :
This would work if only one instance of the app is running, but imagine if my app is divided in multiple instances (for large app).
What if a client A, connected to instance X, wants to send message to user B, connected to instance Z. If, as seen in the example, socketids are stored directly in a simple object existing in the script, some sockets wont know about others users existing in an other instance.
If I am totally wrong (and I might), is this a good practice to store all user's socketids in a single variable ? If yes, would it still be okay with a 50000+ users enviromnment ? If no, should I find another solution like storing user's socketids in database ?
You could use a redis instance, shared between all your app instances. And you get 2 birds with one stone.
The redis would store all your socket ids in a centralized place.
My plugin is has flows depicted by the diagram below:
The requirement is to make the onclick transaction happen after authentication. That is, only if the owner of the domain which contains page.html has registered with my site (for instance www.MyPluginJS.com/register) can he/she use MyPlugin.js.
My registration portal spits out a Client ID after successful reqistration.
My question is:
What is the best approach I need to use in order to make the onclick transaction secure?
What are the other parameters (eg: MD5 fingerprint) I may require to make sure that the transaction happens securely?
Are there any existing frameworks (for instance OAuth) that I can leverage on?
I need a way to stop people from using MyPlugin.js who haven't registered.
I am inexperienced with security techniques but I can manage to code.
Thanks in advance :)
You could serve the JS file using some server side language and add a key/value pair to the request for the js file, pe: MyPlugin.js?key=someValue. Your script could compare the value to some DB table values where you store authorized users.
HTH,
Miguel
By using jQuery, you can take advantage of the function $.getScript(url) to load a javascript file from server-side avoiding the use of <script> tag.
The idea is to point the getScript function to a server-side script that will first validate your user's session and in case the session is valid, it will return your javascript file content to be loaded or a void javascript file otherwise.
I think you should use a session created on the server side to ensure the user is logged in. You can then check client side (for user convenience) if the session variable is set, and then validate the session server side (for security) to avoid user tampering with client side code.
You could then use AJAX to load the contents of the plugin page into an iframe. jQuery makes AJAX much easier to manage.
So the simple answer from me is to use server side scripting, and session variables to ensure security, and jQuery and AJAX on the client side for user convenience.
To invite friend to my app, as far as I know, the only way is to use JS SDK, with FB.ui and apprequests dialog. Thats fine.
Lets think about scenario - my FB game allows user to invite their friends and grant them (the friends) with some item. Based of level, name, random, whatever.
There is data parameter I can use while calling the dialog. It looks like the place where I can store information about what kind of item is to be given.
But..what stops users from tampering with this data? Of course, I can try some cryptographic and so on, but still, its variable fully visible to user.
Am I missing something? How given scenario can be solved in secure way?
You could set a code as the parameter to be sent, which you save on your server/database against that specific user. Then when the request is redeemed, check that the user has that code assigned to them. If they don't, you know it has been tampered.
#Abby is correct - store your request data in your database - the apprequest feature of the JS SDK has a callback containing information about the invite - store this and cross-reference the data when the user accepts the invite. The user might be able to tamper with the data on the Javascript level - but (I hope) he cant tamper with the data in your database. :)