I want to have custom permissions for different channels for security purposes. In the documentation and examples, shortlived tokens are used. I don't want to spam the auth server every minute and don't want attackers being able to spam until their token is revoked. pubnub grants are very simple and work well. Does ably have a similar feature for access management?
How to revoke a token in ably.io?
268 views Asked by Arp Lee At
3
There are 3 answers
0
On
I might not be understanding the question fully but Ably does have the ability to give granular permissions on a per channel level. It works by granting capabilities to an API key and scoping the API key to a channel, more info in the FAQ.
So you could:
- Create an API key named Channel A Pub with only publish capabilities to channel A.
- Create an API key named Channel A Sub with only subscribe capabilities to channel A.
- Create an API key named Channel B Pub+Sub with both publish & subscribe capabilities to channel B.
This does require your application to use multiple API keys and create multiple Realtime/REST instances for each of them.
Creation of API keys can be done at runtime now there since the Control API has been made available. That allows for creation of apps, keys, queues, and integration rules.
In addition there is a token revocation API that can be used to revoke API keys.
0
On
Ably now has a token revocation API. https://ably.com/docs/core-features/authentication#token-revocation
According to the documentation it seems impossible:
Source: https://support.ably.com/support/solutions/articles/3000056545-recommendations-for-incrementally-authorising-new-capabilities