Client server setup with auth and permission

jaideepdas · November 9, 2021, 10:32am

We are testing yjs to use it for our collaborative web application. It’s very well implemented. As our application is multi-tenant and multi-user with granular permission. We are thinking that we will have a single document on the server side that will be replicated with filtration on the client side.
The client will be like a subset which only the logged in user has permission to access.
So what we are thinking is having a big document that will contain mapping and arrays of objects from our DB and somehow when responding back to the client we filter and return only the subset of these mappings and arrays which the client user has permission to.

So to do that we have to tap into the responder mechanism, is there a hook we can use to alter the response packet? So we can add our permission check there.

dmonad · November 9, 2021, 1:32pm

Welcome to the discussion board @jaideepdas,

For each user, you could maintain a separate Y.Doc on the server that is a replication of the original Y.Doc, but only contains the information that the user has access to. You just need to implement a “binding” that keeps them in-sync by listening to observe events. I recommend not to work with updates here, because they might contain sensitive information.

However, this approach is probably hard to implement, memory-inefficient, and rather prone to bugs (though it can definitely be done).

A better approach would be to separate the data into different subdocuments that have different permissions. E.g. when implementing comments on an editor, you often want separate permissions for documents on the text document and on the comments. You can achieve that by separating comments into a separate document that will be maintained in a different structure. The subdocuments feature is very handy to build complex applications with different permissions.

jaideepdas · November 9, 2021, 1:38pm

thanks @dmonad I will give this approach a try.

jaideepdas · November 9, 2021, 1:43pm

@dmonad for each individual document which will be a representation of a db object, can we use the auth protocol and control read write using that ? for example if we create one big document which is just ref ID of the individual documents then those individual document can control their own access.
Will that work?

github.com

yjs/y-protocols/blob/master/auth.js


import * as Y from 'yjs' // eslint-disable-line
import * as encoding from 'lib0/encoding'
import * as decoding from 'lib0/decoding'

export const messagePermissionDenied = 0

/**
 * @param {encoding.Encoder} encoder
 * @param {string} reason
 */
export const writePermissionDenied = (encoder, reason) => {
  encoding.writeVarUint(encoder, messagePermissionDenied)
  encoding.writeVarString(encoder, reason)
}

/**
 * @callback PermissionDeniedHandler
 * @param {any} y
 * @param {string} reason

This file has been truncated. show original

dmonad · November 10, 2021, 8:22am

Yeah that should work. However, neither y-websocket server nor y-protocols have permission control for documents at the moment (e.g. allow read-only access). This is something you can add fairly easily by yourself (check the forum) by filtering update messages and SyncStep2 messages from read-only clients. Hocuspocus already implemented something like this.

MentalGear · February 15, 2024, 10:09pm

Hey @jaideepdas . Also interested in access/permission management. May I ask what you ended up doing and how it worked out? Thx!