问题
I need to know what are the security risks of using unauthorized event broadcasting in Laravel.
I'm using angular-js for my front-end and Laravel as back-end API, I'm intending to use Laravel event broadcasting (socket.io + redis), I want to know is there any security risk, if I broadcast unimportant, public data to the front-end while it's not authenticated?
Thanks in advance.
回答1:
I don't think the paradigm is really any different from a traditional web application or API. The same concerns exist and it has nothing to do with sockets. The fact that your architecture now has socket.io/nodeJS in the mix just means that authentication is a little more involved. When you moved from a doing sessions with a file system and a single server, to a pool of servers and say memcached or a database for sessions, it changed how handled authentication, not the need for it. So in some ways it feel like you are asking for permission to cop out on this :)
Really though only you can say if it is needed for your application. If it's like you say, unimportant and public... would you likely require authentication to view it on a page in your site in a traditional web app? Are you just being lazy?
1) Abuse. Can I modify a request to iterate over some ID to harvest any useful information?
2) Missed opportunity. Will the Node backend grow? At some point will you regret not having an authenticated user available there?
3) Denial of Service. Can I make high cost requests and exhaust resources?
Probably others I'm missing. Just my two cents. I'll try to provide an example later on your question, Authorization for laravel passport through socket.io for broadcasting channels
来源:https://stackoverflow.com/questions/50187836/whats-the-security-risks-of-unauthenticated-laravel-event-broadcasting