mercure-bundle icon indicating copy to clipboard operation
mercure-bundle copied to clipboard

Published 20 hours ago verified publisher icon symfony

I can access to published messages after user close app sesion, using twig function

Open frizquierdo opened this issue 1 year ago • 0 comments

I use Mercure out of Api Platform ecosystem with mercure() Twig function in template to notify the completion of tasks executed in the background, or update graphics in real time, and other updates that do not need to be private but must be reflected in the web interface. All this works fine.

mercure recipe:

mercure:
    hubs:
        default:
            url: '%env(MERCURE_URL)%'
            public_url: '%env(MERCURE_PUBLIC_URL)%'
            jwt:
                secret: '%env(MERCURE_JWT_SECRET)%'
                publish: ['squid/status', 'sysinfo/report', 'server/tools/datetime', 'internet/status', 'cuote/consumo-total', 'squid-proxy/access-log/monitor', 'notif/task-complete/{userId}', 'notif/list/latest/{userId}']
                subscribe: ['squid/status', 'sysinfo/report', 'server/tools/datetime', 'internet/status', 'cuote/consumo-total', 'squid-proxy/access-log/monitor', 'notif/task-complete/{userId}', 'notif/list/latest/{userId}']

In base template.html.twig:

{% block eventsource_javascript %}
    {% set config = {'mercureHub':mercure(['squid/status', 'notif/task-complete/'~app.user.idPublico|uuid_encode, 'notif/list/latest/'~app.user.idPublico|uuid_encode], { subscribe:['squid/status', 'notif/task-complete/'~app.user.idPublico|uuid_encode, 'notif/list/latest/'~app.user.idPublico|uuid_encode]})} %}
    <script id="mercure" type="application/json">
        {{ config|json_encode(constant('JSON_UNESCAPED_SLASHES') b-or constant('JSON_HEX_TAG'))|raw }}
    </script>
{% endblock %}

If user init sesion in web app, and copy the mercure url request ( https://squidmgr.lan/.well-known/mercure?topic=squid%2Fstatus&topic=sysinfo%2Freport&topic=server%2Ftools%2Fdatetime&topic=internet%2Fstatus&topic=cuote%2Fconsumo-total&topic=notif%2Ftask-complete%2F2nC0OMu3USsHE0AdKkreLz&topic=notif%2Flist%2Flatest%2F2nC0OMu3USsHE0AdKkreLz), logout application session and paste copied url in browser all messages related to the topics present in the copied url remain accessible, if the same user init session in another browser or computer, the updates of topics that include the user id are visible in the browser that access directly to mercure request url. On the other hand, if the user closes the browser, reopens it and pastes the url, then the message Unauthorized by Mercure is displayed. It's suppose that when logout process occur, the mercureAuthorization cookie is destroyed??? Publics updates don't care that be accessible out of the session, but privates Updates is necessary that do not be accessible out of user session.

I need that'notif/task-complete/{userId}' or 'notif/list/latest/{userId}' for example, don't be accessible if user logout.

frizquierdo avatar Oct 21 '23 14:10 frizquierdo