I followed This Thread, but I as I have not fully understood the answer in my case, I would like to post again.
I am using EventSource in my Front-End and the Backend is using echo event to stream data relatively to a drone to my application.
var source = new EventSource(`blabla:3000/sse?channel=myProject${projectID}`);
source.addEventListener(`myDrone${droneID}`, function(e){
console.log('Received an update message:', e.data);
});
In the backend, by default nothing is streaming, and a user on connection will request to the backend to start emitting events. This call is secured using jwt_token
. So to make the server start stream, a token is needed.
The question I have is, when a server is already streaming.
Let's say I am a not connected (so no valid token), and I decided to connect to the SSE stream because I know the channel name and the server is already streaming. If I start a new EventSource on blabla:3000/sse?channel=myProject${projectID}
. Would I still be able to see all of the message sent trough this channel? I believe that yes.
How is it possible to secure those event streamed to be only on registered user ?
Ex : (read from top to bottom)
How can I prevent a user that know the channelName to receive all the event stream by the server ?
Since the front end and backend are hosted on the same domain at the moment, but this might change, so I need a broad answer.
https://github.com/EventSource/eventsource
? – Majoris