Ruby China

新手问题 faye 安全问题。

timestopper · July 29, 2014 · Last by timestopper replied at July 29, 2014 · 2310 hits

按照教程搭好了 faye 服务端。正常工作。现在有几个问题。 faye.xxx.com/faye/client.js 这个 js 可以被任何人引进去,然后 publish/subscribe channel. 有没有办法防止?

msms #1 July 29, 2014

感觉是不是可以在服务器端做个验证 http://faye.jcoglan.com/ruby/extensions.html

dddd1919 #3 July 29, 2014

可以加authenticity_token

loveltyoic #4 July 29, 2014

ruby-china 代码里有一种方法,给登录的用户生成 token。 我自己也在用 faye 做一个消息系统,https://github.com/loveltyoic/inner_message,供参考。

timestopper #5 July 29, 2014

require 'faye'

Faye::WebSocket.load_adapter('thin') FAYE_TOKEN = 'my_token' class ServerAuth def incoming(message, callback) if message['channel'] !~ %r{^/meta/} if message['ext']['auth_token'] != FAYE_TOKEN message['error'] = 'Invalid authentication token' end end callback.call(message) end

# IMPORTANT: clear out the auth token so it is not leaked to the client def outgoing(message, callback) if message['ext'] && message['ext']['auth_token'] message['ext'] = {}
end callback.call(message) end end

faye_server = Faye::RackAdapter.new(:mount => '/faye', :timeout => 45) faye_server.add_extension([ServerAuth.new,CsrfProtection.new]) run faye_server

没有效果。。。 哪里不对??

You need to Sign in before reply, if you don't have an account, please Sign up first.