The Stream Feeds API is built with a simple permissions system for read and write privileges.
Permissions are defined at a Feed Group level.
With Server-side permissions (Stream client instantiated with API Key and Secret) the permissions system is bypassed, you the server can read/write to any feed.
There are three types of permissions for Feed Groups
- Private Permissions (example, Timeline Feeds)
- Global Read (example, User Feeds)
- Global Write (example, notification Feeds)
- Global Read/Write (no default example, see more below)
A client side request will always include two headers, the Auth type (JSON Web Token) and the Authorization itself (the signed JWT). The JWT should include the user_id who is using application, and this grants permissions to the Feeds.
For example, the below JWT is signed with user_id : "stephen"
user_id: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoic3RlcGhlbiJ9.N_Si-zqLOa2GcACJnZo9qwNAvhO-2cYzop20yzTc4W0"
With the JWT signed with user_id: "stephen", I have read/write access to my own Feeds, for example I can read/write to the following feeds.
const userA = client.feed("user", "stephen", token);
const timelineA = client.feed("timeline", "stephen", token);
const notificationA = client.feed("notification", "stephen", token);
By default, the User Feed is given Global Read permissions. This means that any user with a valid token on the application will be able to read these feeds. So, with the current JWT, I can read the following feed
const userB = client.feed("user", "bob", token);
However, the Timeline Feed group is not global Read, and so with this JWT I am unable to read the following feed
const timelineB = client.feed("timeline", "bob", token);
The last type of Feed Group permissions is Global Read/Write, and this is exactly as it is described - any user with a valid token can read or write to a feed of this type. You will need to contact the support team at https://getstream.io/contact/support/ with an AppID, Feed Group name, and Global read or read/write request to make one of these.
A request made without the suitable permissions is going to result in a permission failure in the API, and the response is going to have an HTTP code of 429 and a message detailing the permission problem.
Error: {"detail":"signature is invalid","status_code":403,"code":17,"exception":
"NotAllowedException","duration":"0.00ms","more_info":
"https://getstream.io/docs/api_error_responses"} with HTTP status code 403
Comments
0 comments
Please sign in to leave a comment.