Private Channels And Access
Purpose: define private-channel ownership and authorization behavior.
Preconditions
- Have at least one valid account Bearer token.
- Use channel IDs consistently across writer/reader clients.
API/Script Flow
- Claim channel ownership:
- First authenticated write to
POST /log?cid=<id>on an unowned channel sets channel owner account.
- First authenticated write to
- Read as owner:
GET /log?cid=<id>with owner token returns channel logs.
- Enforce non-owner access:
- Wrong account reads/writes return
404.
- Wrong account reads/writes return
- Enforce unauthenticated access:
- Private channel writes without token return
401. - Private channel reads without token return
404.
- Private channel writes without token return
- WebSocket private access:
- Upgrade to
/ws?cid=<id>requires valid owner token.
- Upgrade to
HTTP/curl Flow
JSONLOG_BASE_URL="http://localhost:3002"
OWNER_TOKEN="<owner_account_token>"
OTHER_TOKEN="<other_account_token>"
CID="team-private"
# Owner claims/uses channel
curl -sS -X POST "${JSONLOG_BASE_URL}/log?cid=${CID}" \
-H "authorization: Bearer ${OWNER_TOKEN}" \
-H "content-type: application/json" \
--data '{"message":"owner log"}'
# Non-owner cannot read private channel
curl -sS "${JSONLOG_BASE_URL}/log?cid=${CID}" \
-H "authorization: Bearer ${OTHER_TOKEN}"
# Unauthenticated write blocked
curl -sS -X POST "${JSONLOG_BASE_URL}/log?cid=${CID}" \
-H "content-type: application/json" \
--data '{"message":"blocked"}'Validation
- Owner read/write succeeds with
200. - Non-owner private-channel operations return
404. - Missing token on private channel write returns
401.