Praisma Hub LogoPraisma Hub

6.3.2 Developer Guide — Realtime & Events — Security — Auth and Permissions

Realtime security ensures that WebSocket connections and event streams are protected with the same rigor as HTTP APIs. Authentication, authorization, and scope validation are enforced consistently to prevent unauthorized access and data leakage.

Authentication Binding

Realtime connections require prior authentication. The authenticated identity is bound to the connection at handshake time and cannot be elevated afterward.

Binding guarantees:

User identity resolved once per connection

Tenant and organization context locked

No anonymous upgrade to authenticated state

Example handshake validation:

if (!Auth::check()) { abort(401); }

Permission Enforcement

Permissions are evaluated when subscribing to channels and when publishing events. Authorization is not assumed based on connection alone.

Enforcement points:

Channel subscription requests

Event publish attempts

Presence visibility checks

Example permission check:

if (!$user->can('realtime.subscribe', $channel)) { abort(403); }

Scope Validation

Every realtime action is validated against scope boundaries.

Scope rules:

Tenant scope must match

Organization scope must match

Feature scope must be enabled

Violations result in immediate rejection.

Token and Session Handling

Realtime systems honor the same token and session rules defined for HTTP access. Expired or revoked tokens terminate active connections.

Token behavior:

Continuous validity checks

Immediate disconnect on revocation

No grace period beyond policy

Event Integrity

Events are validated before publication to ensure they conform to expected schemas and scopes.

Integrity guarantees:

Schema validation

Payload size limits

No cross-scope references

Abuse Protection

Realtime endpoints are protected against abuse through rate limiting and connection caps.

Protection measures:

Maximum concurrent connections

Subscription rate limits

Automatic throttling

Auditing and Monitoring

Security-relevant realtime actions are logged for audit and diagnostics.

Logged events:

Connection attempts

Authorization failures

Forced disconnects

Security and Isolation

Realtime security complements tenant and organization isolation. No realtime channel can bypass application-level access controls. All enforcement is server-side and deterministic.