SignalR Security

14
votes

I am new to SignalR but I was curious about how secure it is.

For example, I create the following method to send a message to all users like so:

public class NotificationHub : Hub
{
    public void Send(string message)
    {
        Clients.All.broadcastMessage(message);
    }
}

SignalR generates the following method in a js file (hubs):

proxies.notificationHub.server = {
    send: function (message) {
        return proxies.notificationHub.invoke.apply(proxies.notificationHub, $.merge(["Send"], $.makeArray(arguments)));
     }
};

So, couldn't any user in the world just copy and paste this into their console and send a message of their choice to all of my users without my say-so?

var notifications = $.connection.notificationHub;
notifications.server.send("Your site has been hacked!");

I just tried this and it works - so, how can I prevent my users from sending unauthorized messages from the client side?

1
c#asp.net-mvcsignalr
I am hoping the answer needn't be too broad - I think I may be able to simply add an [Authorize(Roles ="Admin")) above my method to prevent any old user from accessing it... Just looking for some advice. I found that info here asp.net/signalr/overview/signalr-20/security/hub-authorizationuser1477388
I'm interested in the answer wether or not its a too broad.Jodrell
SignalR does have Authentication and Authorization of roles where it can limit access as to who sends what. asp.net/signalr/overview/signalr-20/security/hub-authorizationGjohn

1 Answers

15
votes

It's an HTTP endpoint like any other. If you want to restrict access to it you need to authenticate users and authorize their actions. You authenticate using standard web auth methods (forms auth, cookies, Windows auth, etc.) and you can authorize in code using SignalR constructs (like the Authorize attribute you point out) or with your own code.

This is all documented: http://www.asp.net/signalr/overview/signalr-20/security/introduction-to-security