Hope you can help with this scenario. We have a browser-based support app that uses SignalR for customer chat. The solution comprises two web apps: admin.[domain].com and support.[domain].com. Both are C# ASP.NET CORE 3.1 MVC apps.
The admin app is used by the support engineers to service the chats. The SignalR hub is hosted within the admin app. The admin app uses ASP.NET CORE identity for authentication and authorization.
However, the support app has no identity mechanism - we need a "low friction" solution where the user simply connects to support.domain.com/{GUID}, no password required. The GUID is a SignalR group name pre-generated by the support engineer. Upon hitting this route, the support app calls AddToGroup(GUID).
The SignalR documentation states that Groups are not an effective security mechanism. However if the group names are GUIDs and we never send to all clients, then is this a reasonably secure approach?
Messages are only ever sent or received within a group. The GUID makes the Group Name very safe I would have thought.
Can the chats be eavesdropped easily if the group name is an unknown GUID? Is there a better/more secure alternative to this approach, without having the client enter a password?
As you correctly said, the groups are not a security mechanism. But in your case, what you want to do is fine because, as long as a user connects to the Hub, and the groups management is made by the admin, after a chat session the admin can remove the group so the user can't join it latter.
You need to make it clear that this is a public session like you can see in apps like whiteboards where users can join if they have a invitation link.
I also would recommend implement some ttl mechanism to groups expire after a while to user don't join a session latter.
At last, just do some defensive codding like, allowing only be 1 admin and 1 user in each group at a time, etc...