Simple pub/sub messaging for the web

Security advice

Restricting publication access

Applications typically only allow authenticated users to modify things: you must prove you ‘own’ a resource or that someone has given you permission before you go and change someone’s database. In Faye, publishing is the write operation: publishing a message to the server causes it to be sent to all subscribed clients, which will act based on the data in the message. By publishing a message, you are sending instructions to other clients, and the clients must be able to trust that the data they receive is genuine.

If you do not protect publication, your site probably has a Cross-Site Request Forgery (CSRF) vulnerability, and possibly a Cross-Site Scripting (XSS) one too.

Protecting publication on the server side is simpler than protecting subscription, because publication messages (those with channels other than /meta/*) cannot be addressed to wildcards. So, to protect a channel’s publications, you only need to check that literal channel name.

The channel the message is being published to will be in the message.channel field. An important fact to remember here is that messages are forwarded verbatim to other clients, so if they contain authentication data you should delete this from the message during the authorized() function so it is not leaked to third parties.

var channel = '/foo/bar/qux';

var authorized = function(message) {
  // returns true or false

  incoming: function(message, callback) {
    if (message.channel === channel) {
      if (!authorized(message))
          message.error = '403::Authentication required';

See Authentication for a discussing of the authorized() function.