webinar 03 - deepstream security concepts and features

Transcript

1. deepstream security concepts and features @Srushtika | [email protected] [email protected]

2. None

3. encryption

4. encryption authentication

5. encryption authentication permissions

6. #1 encryption

7. None
8. None
9. None
10. None
11. None
12. None

13. • Certificate • Key • Certificate Authority (CA)

14. encryption in deepstream

15. const client = deepstream (“wss://154.deepstreamhub.com?apiKey=...”) deepstream uses Secure Websockets

16. # SSL default configuration (no SSL/TLS) sslKey: //link to sslKey

    sslCert: //link to sslCert sslCa: //null if self generated SSL configuration - required prior to using wss on deepstreamIO
17. None
18. None

19. - Nginx - HAProxy - Apache - Most J2EE servers

    like Tomcat and JBoss - AWS Elastic Load Balancing

20. #2 authentication

21. authentication no authentication file based authentication HTTP webhook authentication email

    authentication token authentication TOKEN

22. authentication deepstream IO Hub no auth file auth token auth

    email auth webhook auth

23. no authentication

24. no authentication const client = deepstream('<YOUR APP URL>') client.login({}, (success)

    => { // success will be true })

25. file based authentication

26. # Username as key johndoe: password: uY2zMQZXcFuWKeX/6eY43w==9wSp046KHAQfbvKcKgvwNA== clientData: renderColor: brown

    serverData: role: admin samjones: password: 7KZrUQcnFUDNOQtqtKqhCA==ElDieSHdI2vtiws41JF/HQ== clientData: favoriteDessert: shortbread serverData: role: user an example of a user file

27. file based authentication auth: type: file options: # Path to

    the user file. Can be json, js or yml path: ./users.yml # the name of a HMAC digest algorithm hash: 'md5' # the number of times the algorithm should be applied iterations: 100 # the length of the resulting key keyLength: 32

28. deepstream hash <password> deepstream’s CLI tool for hashing passwords

29. file based authentication client.login({ username: ‘johndoe’, password:'uY2zMQZXcFuWKeX/6eY43w==9wSp046KHAQfbvKcKgvwNA==' }, (success, data)

    => { // App logic })

30. token authentication TOKEN

31. on your application dashboard

32. on your application dashboard

33. token authentication client.login({ token: “aI2wYSh1FS_2WODD14bYZe1TfIyhAukl” },(success, data) => { //application

    logic } })

34. email authentication

35. on your application dashboard

36. email authentication client.login({ email: '[email protected]', password: '.......' }, (success, data)

    => { console.log(success, data.token, clientData) // "success": true, // "token": "aI2wYSh1FS_2WODD14bYZe1TfIyhAukl", // "clientData": { // "renderColor": "brown", // "id": "s64907sdkjdsif" // } })

37. using dashboard

38. using deepstream’s HTTP API curl -X POST -H "Content-Type: application/json"

    -d '{ "body": [ { "type": "email", "email": "[email protected]", "password": "**********" } ] }'"https://api.deepstreamhub.com/api/v1/user-auth/signup/:apiKey"

39. using session tokens for authentication client.login({ token: “lgMDJAmFqxV9BLOfEZigfC_-nd-Tx6Gn” },(success, data)

    { })

40. session tokens example //retrieve a token from the localStorage const

    token = localStorage.getItem('deepstream-token') //if it is not null, if (token) { //token exists but not validated yet //attempt to resume the previous session using this token resumeSession(token) } else { //logging in for the first time loginWithEmail() } 1

41. session tokens example function resumeSession (token) { //try logging in

    with session token client.login({ token: token }, function(success, data) { if (success) { onSuccessfulLogin(data) } else { //login failed means the token has expired loginWithEmail() } }) } 2

42. session tokens example function loginWithEmail () { var myEmail =

    prompt("Enter email", ""); var myPass = prompt("Enter your password", ""); client.login({ email: myEmail, password: myPass }, function(success, data) { if (success) { //replace the token in localStorage with new one localStorage.setItem('deepstream-token', data.token) onSuccessfulLogin(data) } else { // user login failed } }) } 3

43. Webhook authentication

44. None
45. None
46. None
47. None
48. None

49. client.login({ type: 'webhook', //other custom auth params }, (success, data)

    => { console.log(success, data) { //application logic } }) webhook authentication

50. type: http options: endpointUrl: https://someurl.com/auth-user permittedStatusCodes: [ 200 ] requestTimeout:

    2000 io hub

51. //initialize express server app.post('/login', (req, res) => { if (req.body.authData.email

    === '[email protected]' && req.body.authData.password === 'password') { res.json({ userId: '838dc811-75a1-4d71-ba8c-6f8742c6301e', clientData: { renderColor: 'blue' }, serverData: { role: 'admin' } }) } else { res.status(403).end() } }) //set default port a simple express server

52. what else?

53. client data { //"id" : "838dc811-75a1-4d71-ba8c-6f8742c6301e" //"token" : "cuxVR7OmYXxJfVwS8TVfvZfaTQND0Pqb" "themeColor"

    : "blue", "layoutConfig" : {...} }

54. #3 permissions

55. event: "*": publish: false subscribe: true user-status/$userId: #users can only

    share their own status publish: "user.id === $userId" what, why and how of valve !

56. type name action

57. type name action record: users/*: read: "true"

58. type action record event rpc presence create write read delete

    publish subscribe provide request allow

59. how? deepstream client const systemSettings = ds.record.getRecord( ‘system-settings’ ) systemSettings.set(

    ‘max-file-storage’, ‘20GB’) deepstream - permissions file(IO) / dashboard(Hub) record: system-settings: write: “user.data.role===’admin’”

60. variables 1. user { isAuthenticated //true, id //'fdmng34-jn3j45b', data //{

    'role': 'admin', 'accessLevel':3 } } record: companydata: read: “user.data.accessLevel > 2” const cData = client.record.getRecord(‘companydata’)

61. variables 2. data permissions event: addVerifiedMark: emit: "data.pageLikes > 50"

    deepstream client //const myPagelikes = num of likes on the page client.event.emit(‘addVerifiedMark’, { “pageLikes”: myPagelikes })

62. variables 3. oldData permissions record: auction/*: write: "data.currentBid > oldData.currentBid"

    deepstream client //current record data {“currentBid” : 20} client.record.setData(‘auction/54’,{ “currentBid”: 50 })

63. variables 4. now deepstream client //const time =desired time in

    ms client.record.setData(‘dhl/berlin’,{ ‘deliveryTime’: time }) permissions record: dhl/berlin: write: "data.deliveryTime > now"

64. variables 5. $variablename deepstream client client.record.setData(‘user-profile/{$data.id}’,{ “age”: 31 }) permissions

    record: user-profile/$userId: write: "user.id === $userId"

65. on your dashboard

66. string functions within Valve - startsWith - endsWith - indexOf

    - match - toUpperCase - toLowerCase - trim

67. string functions within Valve rpc: book-purchase: request: "data.card.issuer!=null && data.card.issuer.toLowerCase()

    === 'visa'" - startsWith - endsWith - indexOf - match - toUpperCase - toLowerCase - trim

68. what’s even more interesting?

69. what’s even more interesting? _( ) cross-referencing

70. record: car-sale/*: # when booking a new car sale, make

    sure that # the car that's sold exists and that its price # is the same or lower than what the customer is charged write: "_(data.carId) !== null && _(data.carId).price <= data.price" simple cross-referencing

71. client.record.setData('permissions/{$data.id}',{ canComment: true, canDelete: false }) how powerful is cross-referencing?

    record: permissions/*: write: “user.data.role === ‘admin’” 1

72. client.rpc.make(‘addComment’, ‘some-comment’, response => { //add comment some-comment }) how

    powerful is cross-referencing? rpc: addComment: request: “_(‘permission/’+user.id).canComment===true” 2

73. ...aaand we are all secured now !

74. That’s all folks ! questions? @Srushtika | [email protected] [email protected]

75. other authentication mechanisms

76. using JSON Web Token (JWT) auth

77. using JSON Web Token (JWT) auth

78. using JSON Web Token (JWT) auth

79. using JSON Web Token (JWT) auth

80. using JSON Web Token (JWT) auth

81. using JSON Web Token (JWT) auth

82. using 2FA authentication

83. using 2FA authentication

84. using HTTP cookies

85. using HTTP cookie

86. using OAuth

87. using OAuth