Search code examples
twistedautobahn

How to get session context in wamp router validator

According to comment and a criticism for question being too broad; I'll try to make it more specific;

Environment - Server: autobahn|python with twisted, wampv2

Given that:

a) I have a class which extends RouterSession and authenticates user, and at the moment of authentification knows who the user accessing the wamp service is; and

b) I have a class which extends ApplicationSession and on creation exposes several rpc methods through wamp

How do I access the user data in the exposed RPC method. By the user data - I mean - which I verified at the beginning of a specific client connection through RouterSession. Because ApplicationSessions are initiated only once, and don't have a clue about caller (from what I have seen in debugger).

The reason I would need this - is to execute the rpc call with the context of a calling user. Where method's result might depend on specific user profile properties.

I am probably looking for something which could represent per-connection created Application instances (which could then hold reference to authorization result and data). Like most of the server Protocols operate in twisted.

-----------------ORIGINAL POST-----------

Brief question: imagine a scenario where user rights are based not on method but object; Example - I may have right to edit my profile account and profile accounts of my subordinates but not any other. This leaves to a situation where I would expose "com.myorg.profile.update_profile_details" RPC through WAMP to everyone, but would have to check which user is trying to modify which profile. I see there is a validate mechanism in WAMP Router to deal with validating request - but it seems, that it lacks a reference to previous authentication result or session. I really would like to avoid passing session keys (or, god forbid auth tokens) back and forth through the WAMP; whats the suggested approach for this?

----------------END OF ORIGINAL POST----------

Solution

  • After debugging traces back and forth, I found a solution which fits me - the trick is to pass additional options parameter when registering RPC methods:

    self.register(self.test_me_now, 'com.ossnet.testme', options = RegisterOptions(details_arg = 'details', discloseCaller = True))

    and voila - there is a new incoming parameter into registered RPC method: 'details' with following contents:

    CallDetails: CallDetails(progress = None, caller = 774234234575675677138, authid = johan.gram, authrole = user, authmethod = ticket)