WS should be authenticated with ACL

Question

WS should be authenticated with ACL

Opened this issue 8 years ago · 5 comments

Was nodeSolidServer/node-solid-server#143

Answer 1 · 2019-01-17T11:46:52.000Z

The client should probably provide the user credentials in the upgrade request.
Connecting should probably never fail.
Notifications should only be sent to authenticated users who are subscribed to a (parent-)folder containing that item, and currently have read-access to the changed item.
Maybe, subscribing to a folder to which the user has no read access should already fail with an error if the user does not have read access to the folder at that time, since the user would not receive any notifications unless the ACLs change during the period the WebSocket connection is active.

Answer 2 · 2019-01-21T11:03:09.000Z

As a first step, I'll try to restrict updates to public files when connected without credentials.

Answer 3 · 2020-09-28T09:39:47.000Z

I'm now (finally) working on a fix for this, see https://github.com/solid/specification/issues/52#issuecomment-682491952

I plan to finish this in October 2020 as part of my EU-funded solid-crud-tests milestone (will update this comment if that estimate changes).

Answer 4 · 2020-10-14T12:34:59.000Z

@jaxoncreed as discussed in the Solid OS call today, would it make sense to add a WebSockets client into ISCAJ? How can we coordinate that between the two of us?