stream-js icon indicating copy to clipboard operation
stream-js copied to clipboard
verified publisher icon GetStream

Activities Feed Client - Should support invoke/invalidate user token

Open tronghm88 opened this issue 4 years ago • 4 comments

Hi there. I'm facing a problem, that is I want to invoke an user token to make it to be disable to call Stream API from clients. I search your documents and see Chat Client has invokeUserToken function but Activities Feed Client doesn't. My context is:

First, i generate an user token on server-side and make it can READ 2 feed groups: GROUP_1 and GROUP_2. Then send the token to client to let client connect Stream API directly. Then I generate new token and make it can feed only a group, group 1. So I need to generate new token, then it to client one more time. About old token, I want to force it to expire or block it by any way to let user can not user old token to access group 2. Please tell me how I can implement this logic?

Thanks for super great thing.

gz#13574

tronghm88 avatar Jul 14 '21 16:07 tronghm88

Agent comment from Zachery Converse in Zendesk ticket #13574:

Hello,

Thanks for reaching out to Stream! I'll look into this and get back to you.

Feel free to let us know if you have any additional information or questions.

Cheers, -Zachery Getstream.io

°°°

shodgetts avatar Jul 14 '21 16:07 shodgetts

Agent comment from Zachery Converse in Zendesk ticket #13574:

Hi,

Tokens are unique to each user and not used to control permissions. Permissions are defined at a Feed Group level. invokeUserToken does not exist for the feeds product.

These docs are quite good at explaining these premises.

It is possible to add expiration logic to a token: Token Expiration/Refreshing - Feeds

This article is also quite useful: I'm receiving HTTP 403 Errors in my Feeds App

Feel free to let me know if you have any questions.

Cheers, -Zachery Getstream.io

°°°

shodgetts avatar Jul 14 '21 20:07 shodgetts

Thanks so much for your answer. But I'm still confuse.

  1. About this not used to control permissions. Permissions are defined at a Feed Group level. I read this document https://getstream.io/activity-feeds/docs/javascript/auth_and_permissions/?language=javascript and the Authentication section of the REST document https://getstream.io/docs_rest/

I understand that if we add Permission scopes to JWT tokens payload, we can control user permission if client use the tokens to call Stream API directly. Pardon me, but I haven't find a document about "Permissions are defined at a Feed Group level." Can you share me a link?

  1. Next, for example, at the first time my Backend generate an user token with the below permission scope { "resource": "*", "action": "read", "feed_id": "user1, user2" } at this moment, client all read feed of both user 1 and user 2, right? Because of our business, a day my Backend must deny above user that he can't read feed of user 2 anymore. So we must re-generate new token with below scope: { "resource": "*", "action": "read", "feed_id": "user1" } and send to client But somehow, we want the old token must be invalidated/revoked immediately, because it may take a day util the old token is expired.

Looking forward you reply. Thank you so so much.

tronghm88 avatar Jul 15 '21 01:07 tronghm88

One more problem, if I use permission scope as above. Client can not use tokens with permission scope to get reaction of activities even if those activities are theirs.

tronghm88 avatar Jul 15 '21 10:07 tronghm88