feat: Add token-level control for public updates #1017
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduce allow_public_updates claim to restrict tokens to private-only updates when set to false, preventing client-side request manipulation.
|
|
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
We need to patch the spec first. Maybe can we find something more idiomatic claim name? |
|
Maybe |
|
Yes, it looks good and more descriptive |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Currently, publishers can choose between private and public updates by setting the private parameter in their request. However, this presents a security risk in frontend applications where a malicious user could modify requests to remove the private flag, potentially exposing sensitive information to unauthorized subscribers.
Solution
This PR introduces a new JWT claim
allow_public_updatesthat can be set to false to restrict tokens to private-only updates. When this claim is present and set to false, any attempt to publish a public update will be rejected with a 401 Unauthorized response, regardless of what's in the request.This provides a server-enforced security boundary that cannot be bypassed by manipulating requests on the client side.
Implementation
Added a new
canDispatchPublicfunction that checks for the presence of the claimIntegrated this check into the PublishHandler flow
Added tests to verify the functionality
Maintains backward compatibility by defaulting to allowing public updates when the claim is not present
Use Case
This feature is particularly useful for collaborative editing applications where you want to ensure that document updates are only visible to authorized collaborators, regardless of how the frontend code behaves.