I've been playing a bit with socket.io's chat, and I have a question: how can I differentiate between an admin user and a regular user in the chat room? I'd like the admin to have powers like kicking and banning people, but my users to not.

我一直在玩socket.io的聊天,我有一个问题:如何在聊天室中区分管理员用户和普通用户?我希望管理员拥有像踢和禁止人的权力,但我的用户却没有。

I'm using Symfony to develop my application, and I'd like to use its user database for the chat users. I'm using FOSUserBundle for my Symfony app's users. They are split into multiple groups, so I have the admin group, and others.

我正在使用Symfony开发我的应用程序,我想将其用户数据库用于聊天用户。我正在为我的Symfony应用程序的用户使用FOSUserBundle。它们分为多个组,因此我有管理组和其他组。

The admin group has ROLE_ADMIN which means that each user inside it has that role. That is the admins group and each user in this group should have permissions to ban, kick, mute etc. other users in the chat room.

管理员组具有ROLE_ADMIN,这意味着其中的每个用户都具有该角色。这是管理员组,该组中的每个用户都应具有禁止,踢,静音等聊天室中其他用户的权限。

For using my Symfony users in the chat, I've been reading into Redis to get their sessions, but I'm not exactly sure how to make the difference between my admin users and regular users. How can I prevent a regular user from making a request to the server that does something that the user doesn't have access to? Because anyone can do requests, but how can I validate those requests if they come from users stored in a MySQL database on the Apache server?

为了在聊天中使用我的Symfony用户,我一直在阅读Redis以获取他们的会话,但我不确定如何区分我的管理员用户和普通用户。如何阻止常规用户向服务器发出执行用户无权访问的操作的请求?因为任何人都可以提出请求,但是如果这些请求来自存储在Apache服务器上的MySQL数据库中的用户,我该如何验证这些请求呢?

If not for Symfony, how this could be done in a regular PHP application? In the end, it doesn't matter how the admin is defined, but how to connect him to the Node server and how to make the Node server work with my user database.

如果不是Symfony,如何在常规PHP应用程序中完成此操作?最后,管理员的定义方式无关紧要,但如何将他连接到节点服务器以及如何使节点服务器与我的用户数据库一起工作。

I had an idea of simply encrypting and sending the user's data to the node server, then decrypt it there. Only the two servers know the private keys, so even if a client gets its hands on the encrypted data, he can't make a request with it for another client. I may do some IP check and a timestamp. The decrypted data on the node server could then be used to say if the user is an admin or not and allow him to send certain requests. Is this a good idea or is there a better way?

我只想加密并将用户的数据发送到节点服务器,然后在那里解密。只有两个服务器知道私钥,因此即使客户端接收到加密数据,他也无法向其他客户端发出请求。我可以做一些IP检查和时间戳。然后可以使用节点服务器上的解密数据来说明用户是否是管理员并允许他发送某些请求。这是一个好主意还是有更好的方法?

2 个解决方案

#1

3

I had an idea of simply encrypting and sending the user's data to the node server, then decrypt it there. Only the two servers know the private keys, so even if a client gets its hands on the encrypted data, he can't make a request with it for another client.

我只想加密并将用户的数据发送到节点服务器,然后在那里解密。只有两个服务器知道私钥,因此即使客户端接收到加密数据,他也无法向其他客户端发出请求。

That's the basic idea.

这是基本的想法。

How I would do it? I would use something like JWT to just send the userId to the node application. Doesn't have to be encrypted, because I only care about the jwt signature to make sure the request was indeed issued by the real user.

我该怎么办?我会使用类似JWT的东西将userId发送到节点应用程序。不必加密,因为我只关心jwt签名以确保请求确实是由真实用户发出的。

After that, using the userId I would make a server side call to the php application to check the roles of the user.

之后,使用userId,我将对php应用程序进行服务器端调用,以检查用户的角色。

To elaborate:

详细说明:

  • The node app and the php app will use a shared secret to sign the JWT token.
  • 节点应用程序和php应用程序将使用共享密钥来签署JWT令牌。
  • The PHP application will expose the generated token to the frontend.
  • PHP应用程序将生成的令牌暴露给前端。
  • The socket.io client will send the token as part of the authentication to the node app.
  • socket.io客户端将令牌作为身份验证的一部分发送到节点应用程序。

How to handle banning

如何处理禁令

  • keep a list of opened sockets with their user id
  • 保留已打开的套接字列表及其用户ID
  • create a webservice endpoint in the nodejs application which can hanlde the "ban" requests from the php application.
  • 在nodejs应用程序中创建一个webservice端点,它可以处理来自php应用程序的“禁止”请求。
  • when such a request is received by the nodejs application, lookup the socket based on the userid and close the connection.
  • 当nodejs应用程序收到这样的请求时,根据用户ID查找套接字并关闭连接。

更多相关文章

  1. 使用PHP和MySQL开发“测试”Web应用程序的数据库设计
  2. php微信网页授权获取用户信息
  3. Laravel Auth只验证管理员/超级用户
  4. 用户GROUP BY ERROR之间的SQL查询privatemsgs
  5. 使用PHP显示用户输入
  6. 数据库是存储我的Web应用程序数据的最佳选择吗?
  7. 根据网址上的国家/地区将用户重定向到正确的数据库,我使用i18n fo
  8. PHP结合Redis来限制用户或者IP某个时间段内访问的次数
  9. 使用JOIN获取有关两个用户的信息

随机推荐

  1. c语言数据类型(初学)
  2. Android新特性之CardView的简单使用
  3. 阿里面试官:什么是MySQL索引,为什么要有索
  4. Android异步网络请求--AsyncHttpClient
  5. Netty中拆包和粘包问题的解决(先为明天的
  6. 首批 Android(安卓)One 入门级手机正式推
  7. 一道高频的面试题:什么是零拷贝技术?
  8. 说一下这段时间面试的感觉
  9. 关于android导入工程时出现的@Override错
  10. Android开发―随笔杂记(2010年的)