Token-based security
Introduction
Token-based security is the security feature you must use if you want to secure your Apideo application. With token based security, you can:
- Be 100% sure that no other web-site can use your Apideo key
- Decide for each user if he/she can:
- Access a room
- Access the list of users
- Publish a stream
- View a stream
- Send events
- Listen to events
Principle
The principle of Token-based security is simple.
- Step 1: You generate on your web server a token (a string of random characters). You will embed this token in a XML message that contains a list of things your user is allowed to do or not.
- Step 2: Your webserver sends directly to the Apideo server the message generated. This is send via a simple HTTP POST message. The token is stored on the Apideo server.
- Step 3: Your webserver sends to your client the webpage, containing the Apideo code. When a room is joined, the Token is passed in parameter.
- Step 4: Your user's browser connects to Apideo. When connecting to a room, the token you generated is passed in parameter.
- Step 5: When Apideo receives the token, it will check that the token is valid and will compare the requested actions to the one you allow. It will apply security restrictions accordingly.
Enabling token-based security
There is nothing special you need to do to enable token-based security. This means you can send directly tokens to the Apideo server and use those. However, this would be useless. By default, if you do not pass any token to the joinRoom method, the default rule parameters are used. And by default, the default rule states that everything is authorized. So the first action you will want to take is to restrict access by default to Apideo. Then, you can start sending tokens.
Changing the default rule is just like sending tokens: you send a XML message to the Apideo server with the default rule in it.
Next steps
In order to use token-based security, you will need to: