Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SignalR Security

I am new to SignalR but I was curious about how secure it is.

For example, I create the following method to send a message to all users like so:

public class NotificationHub : Hub
{
    public void Send(string message)
    {
        Clients.All.broadcastMessage(message);
    }
}

SignalR generates the following method in a js file (hubs):

proxies.notificationHub.server = {
    send: function (message) {
        return proxies.notificationHub.invoke.apply(proxies.notificationHub, $.merge(["Send"], $.makeArray(arguments)));
     }
};

So, couldn't any user in the world just copy and paste this into their console and send a message of their choice to all of my users without my say-so?

var notifications = $.connection.notificationHub;
notifications.server.send("Your site has been hacked!");

I just tried this and it works - so, how can I prevent my users from sending unauthorized messages from the client side?

like image 462
user1477388 Avatar asked Apr 07 '14 16:04

user1477388


1 Answers

It's an HTTP endpoint like any other. If you want to restrict access to it you need to authenticate users and authorize their actions. You authenticate using standard web auth methods (forms auth, cookies, Windows auth, etc.) and you can authorize in code using SignalR constructs (like the Authorize attribute you point out) or with your own code.

This is all documented: http://www.asp.net/signalr/overview/signalr-20/security/introduction-to-security

like image 164
Damian Edwards Avatar answered Sep 28 '22 07:09

Damian Edwards