Permissions in custom authentication

Options
steveBetl
steveBetl
edited December 2016 in Photon Server
Hi,

I'm making progress on custom authentication, but before I go running off down an an over-complicated track I wanted to see if I was doing something wrong.

In the LoadBalancing server example:
1. Authentication is called on operations by MasterClientPeer and GameClientPeer.
2. When a user logs in, they are authenticated by MasterClientPeer - this calls the authentication server
3. When a user creates a room, the are authenticated by GameClientPeer, which doesn't call the authentication server.

These uses are drive by the OnOperationRequest method.

If I want to allow only permitted users to create rooms (e.g. my control panel client) then I modify GameClientPeer so that when OnOperationRequest is called with OperationCode.CreateGame I do an authentication step that involves querying the authentication server to see if the user is permitted to create rooms, right?

So I could do this by inserting something like
this.HandleAuthenticateOperation(request, sendParameters);
above the call to HandleGameCreation and it would try to authenticate.

There are two problems now:
1. Since the GameClientPeer doesn't actually call the authentication server, I'm also expecting that I have to change the HandleAuthenticateOperation
2. I think I may have to override it completely, since at that point it's a CreateGame request, not an authentication request. And that means that I need to pass some parameters along with the CreateGame request from the client - name and password, or an access token.

So, is this about right? Or is there a "limit room creation to specific user roles" switch somewhere (I'm not hopeful, but it would be nice :smile:)

Thanks,

Steve

Comments

  • chvetsov
    chvetsov mod
    Options
    MasterClientPeer returns token to client. it has field AuthCookie. you may set there what ever you need.
    this authcookie can be used on GS directly if you like. or you may use WebHooks plugin. it will send OnCreateGame request to your server. this request will contain AuthCookie. do you see what i mean?
  • steveBetl
    steveBetl
    edited December 2016
    Options
    Hi @chvetsov

    Just to check, the client can't set the fields on the auth cookie themselves, right? Because that would be bad.

    In the process of writing out this question, I have understood what you meant. Thanks very much. I'm posting my solution for the next person with this question. Please tell me if it's wrong :smile:

    In my authorisation server if the user is an administrator then I return a Json code like

    result = {
    ResultCode=1,
    UserId=request.query['username'],
    AuthCookie={IsAdmin=true}
    }
    Then, in the AuthQueueResponseCallback method (in CustomAuthHandler), this will automatically be converted into an auth cookie with:
    customAuthResult = Newtonsoft.Json.JsonConvert.DeserializeObject(responseString);

    During the creategame operation, you'll be able to access the auth cookie from the GameClientPeer.
  • chvetsov
    chvetsov mod
    Options
    >Just to check, the client can't set the fields on the auth cookie themselves, right?
    yes, that is right.

    >During the creategame operation, you'll be able to access the auth cookie from the GameClientPeer.
    well, we do not use this value any how, we just send it to http server during on create game request. and http server checks this value and may return whether game can be created or not

    other parts of solution are correct
  • steveBetl
    steveBetl
    Options
    Thanks very much. I'm slowly getting the hang of this.

    I feel like I've moved from "Completely incompetent" to "Dangerously incompetent" :smile:
  • chvetsov
    chvetsov mod
    Options
    keep going

Cookies,
anyone?

We use cookies and related technologies to enhance your experience, show you personalised content and analyze performance and traffic on our website. By clicking on the „Accept All“ button you consent to the use of non-functional cookies and the subsequent processing of personal data to optimize our website and services as described in more detail in our Privacy and Cookie Policy.

By clicking on the „Customize or Deny all“ button you can decide otherwise. Clicking on the „Customize“ button will take you to a page where you can configure the usage of non-functional cookies (and related technologies) or deny all of them. You can access these settings at any time and also subsequently deselect cookies at any time in the footer area of our website.

ACCEPT ALL

Cookie Overview

We use the following categories of cookies and related technologies to enhance your experience, show you personalized content, and analyze performance and traffic on our website. We respect your right to privacy and accordingly you can chose to not allow some types of cookies (and related technologies). Click on the different category sliders and change our default settings to manage your cookie settings.

For more information on the specific cookies/related technologies we use and on how we use these, please see section 15 E. of our Privacy and Cookie Policy.

ABSOLUTELY NECESSARY

Authentication cookies we use are required to run our services … Cookies are required: Link

FUNCTIONAL AND MARKETING COOKIES

These cookies collect anonymous data and allow us to optimize our website and user experience. These cookies are listed here:

ANALYTICS

Help us to understand how visitors interact with our services, enables us to analyze and improve our services (also through third party analytics).