I'm currently doing some research about the best way to implement event based authorization in a realtime web application. In comparison with a normal REST call based application, published events are some kind of API-calls that need to be authorized on the server as there are different types of authorization levels. In the current REST application authorization is handled in general in the first step (Token Validation) and then call based by checking the user rights against the required ones for the call. Should this also be done that way in a realtime web application? Or is there some kind of mind-shift required in terms of application architecture?
Code sample from the current application (maybe bad sample for realtime requirement, but it shows the kind of authorization that is required very well):
app.get('/api/profile/email', passport.authenticate('bearer', {
session: false
}), authorize('user.profile.email.read'), function (req, res) {
// Do something and respond
});
I'm looking forward for some great input from you guys!
One of the ways I have done it (if using sockets lets say) is to use a token stored in redis after the initial login or a refreshed token. It does a check on the token with authentication middleware to make sure it can continue or it sends an error. If you code it right, you can pass the token, pull it out and check it using your middleware.
io.use(function(socket,next){
var token = socket.request._query.tokenOfImmortality;
tokenHandler.verify(token,next); //Function handles checking redis for access
}