How to restrict SignalR server connections?

StackOverflow https://stackoverflow.com/questions/23377095

Question

I have a SignalR app. hosted in a Windows service (used OWIN & Katana as self hosting) and it's listening on mydomain.com:8080

On the same server, I also have an MVC application which is basically a website that connects to my SignalR hub which I mentioned above.

I want to restrict access to my SignalR app only to my MVC application. I've searched the internet but didn't come along an example of this.

Is it possible to achieve this? How can I get the information about if the connection is coming from my MVC app or from another app? Do I need to implement an authorization for my own MVC application to be able to connect to my SignalR application?

Right now, everyone on the internet can access to mydomain.com:8080/signalr endpoint which basically means a competitor can code a client that connects to my SignalR hub and use it. What are the options to prevent this scenario?

p.s: Please ask for more information -if you need- instead of just marking the post as "non constructive" because I don't know how this question can be asked more "constructive"

Was it helpful?

Solution

I believe I have a working example, it's quick and dirty, but it should do the job, and you should be able to expand it so it'll fit your needs better:

I created a class that inherits from Microsoft.AspNet.SignalR.AuthorizeAttribute and overrode the AuthorizeHubConnection method:

[AttributeUsage(AttributeTargets.Class, Inherited = false, AllowMultiple = false)]
public class CustomAuthorize : AuthorizeAttribute
{

    public override bool AuthorizeHubConnection(Microsoft.AspNet.SignalR.Hubs.HubDescriptor hubDescriptor, IRequest request)
    {
        string referer = request.Headers["Referer"];
        string authority = new Uri(referer).Authority;
        if (authority == "mydomain.com:8080")
        {
            return true;
        }
        return false;
    }
}

all it does is check the Referer header's host/authority against a hard coded one, and returns true if they match.

You can then use it like this: 

[CustomAuthorize]
public class ChatHub : Hub
{
    //Hub code here...
}

If CustomAuthorize returns false, the request will stop there. The hub's OnConnected() will not be triggered.

OTHER TIPS

Just Use cors option instead of writing code.in cors allow your domain only

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top