Permissions in custom authentication
Options
Hi,
I'm making progress on custom authentication, but before I go running off down an an over-complicated track I wanted to see if I was doing something wrong.
In the LoadBalancing server example:
1. Authentication is called on operations by MasterClientPeer and GameClientPeer.
2. When a user logs in, they are authenticated by MasterClientPeer - this calls the authentication server
3. When a user creates a room, the are authenticated by GameClientPeer, which doesn't call the authentication server.
These uses are drive by the OnOperationRequest method.
If I want to allow only permitted users to create rooms (e.g. my control panel client) then I modify GameClientPeer so that when OnOperationRequest is called with OperationCode.CreateGame I do an authentication step that involves querying the authentication server to see if the user is permitted to create rooms, right?
So I could do this by inserting something like
above the call to HandleGameCreation and it would try to authenticate.
There are two problems now:
1. Since the GameClientPeer doesn't actually call the authentication server, I'm also expecting that I have to change the HandleAuthenticateOperation
2. I think I may have to override it completely, since at that point it's a CreateGame request, not an authentication request. And that means that I need to pass some parameters along with the CreateGame request from the client - name and password, or an access token.
So, is this about right? Or is there a "limit room creation to specific user roles" switch somewhere (I'm not hopeful, but it would be nice )
Thanks,
Steve
I'm making progress on custom authentication, but before I go running off down an an over-complicated track I wanted to see if I was doing something wrong.
In the LoadBalancing server example:
1. Authentication is called on operations by MasterClientPeer and GameClientPeer.
2. When a user logs in, they are authenticated by MasterClientPeer - this calls the authentication server
3. When a user creates a room, the are authenticated by GameClientPeer, which doesn't call the authentication server.
These uses are drive by the OnOperationRequest method.
If I want to allow only permitted users to create rooms (e.g. my control panel client) then I modify GameClientPeer so that when OnOperationRequest is called with OperationCode.CreateGame I do an authentication step that involves querying the authentication server to see if the user is permitted to create rooms, right?
So I could do this by inserting something like
this.HandleAuthenticateOperation(request, sendParameters);
above the call to HandleGameCreation and it would try to authenticate.
There are two problems now:
1. Since the GameClientPeer doesn't actually call the authentication server, I'm also expecting that I have to change the HandleAuthenticateOperation
2. I think I may have to override it completely, since at that point it's a CreateGame request, not an authentication request. And that means that I need to pass some parameters along with the CreateGame request from the client - name and password, or an access token.
So, is this about right? Or is there a "limit room creation to specific user roles" switch somewhere (I'm not hopeful, but it would be nice )
Thanks,
Steve
0
Comments
-
MasterClientPeer returns token to client. it has field AuthCookie. you may set there what ever you need.
this authcookie can be used on GS directly if you like. or you may use WebHooks plugin. it will send OnCreateGame request to your server. this request will contain AuthCookie. do you see what i mean?1 -
Hi @chvetsov
Just to check, the client can't set the fields on the auth cookie themselves, right? Because that would be bad.
In the process of writing out this question, I have understood what you meant. Thanks very much. I'm posting my solution for the next person with this question. Please tell me if it's wrong
In my authorisation server if the user is an administrator then I return a Json code like
result = {
ResultCode=1,
UserId=request.query['username'],
AuthCookie={IsAdmin=true}
}
Then, in the AuthQueueResponseCallback method (in CustomAuthHandler), this will automatically be converted into an auth cookie with:
customAuthResult = Newtonsoft.Json.JsonConvert.DeserializeObject(responseString);
During the creategame operation, you'll be able to access the auth cookie from the GameClientPeer.0 -
>Just to check, the client can't set the fields on the auth cookie themselves, right?
yes, that is right.
>During the creategame operation, you'll be able to access the auth cookie from the GameClientPeer.
well, we do not use this value any how, we just send it to http server during on create game request. and http server checks this value and may return whether game can be created or not
other parts of solution are correct0 -
Thanks very much. I'm slowly getting the hang of this.
I feel like I've moved from "Completely incompetent" to "Dangerously incompetent"0 -
keep going0