Permissions & best practices with traccar

Muammar3 years ago

Hi everyone,

I have a problem of fleet tracking & monitoring it. It's pretty clear how to use Traccar for saving the coordinates, however, it's not clear enough how to properly use it for monitoring with custom authorization & frontend. Mostly, I'm interested in the WebSockets API and I have two use-cases.

Admins

Our admins would like to track the whole fleet after logging in into our custom frontend. From the WebSockets API description it seems that this is a good use case, because you will get messages for all coordinate updates. AFAIU, you simply need to create a session with the right user credentials (that we have on our backend) and set it in the response. Then the WebSockets API will work & receive messages.

The only question is left here: what is the correct setup for these users. Do we create a corresponding manager user in traccar with readonly access and he will be able to receive all coordinates? Since we have different users on our backend, do we simply connect them to this single user? Or we need to create a manager user for each one of them? What if an admin gets deactivated? Their session should be probably closed?

Customers

Our customers would like to monitor drivers specific to them + only for a limited amount of time, i.e. while their delivery is in progress. After that they shouldn't be able to monitor deliveries & receive driver coordinates. On our web server side we want to create links that will work for a limited amount of time without authorization.

From reading the documentation, I probably want to do the following (correct if I'm wrong):

  1. For each delivery I want to create a session that will expire when the delivery is over. If I got it correctly, I can do it with creating a new session first on the backend side (in order not to leak user credentials) and then closing it when needed
  2. I don't want to receive updates for all devices and this seems to be a problem, because I didn't find anywhere in the documentation on how to receive messages only for a specific device. How to achieve that?

Also, what is the right user & permissions setup for this use case?

Anton Tananaev3 years ago

Why would admins be readonly? I'm not sure I'm following that logic. Maybe you didn't provide some context?

Muammar3 years ago

Since we use a custom frontend, our backend will be handling all of the writes, sessions, etc. As for the admins, they need to simply observe and take actions based on where our drivers are.

Anton Tananaev3 years ago

Then why do you need to connect other users to them? Why not just connect devices? That's what you need to do to actually see devices.

Muammar3 years ago

Regarding the admin part. Some user will need to create a session to access the web socket api, right? That’s the reason why we want to have it. We will probably create it once and save the credentials on the backend.

As for the device, AFAIU, this is driver related and of course every driver will get a unique device.

I think the admin part is more or less easy. Let’s move to the customers. How do you subscribe only to specific device location updates?

Anton Tananaev3 years ago

How do you subscribe only to specific device location updates?

Create a user and assign a single device to them.

Muammar3 years ago

I see... It turned out that monitoring specific devices is the easy part.
One thing that is left to be clarified: in the Create Device API I can't see a userId. Does it mean that whenever a device is created, it is assigned to the user it created?

Let's go back to the admin use case then.
How can I subscribe to all devices updates to receive their coordinates? Or maybe to all devices of users that belong to a specific group. I can't find any details in the documentation.

Anton Tananaev3 years ago

Yes, it's assigned to current user by default, but then you can also link it to another user.

Muammar3 years ago

Okay, now I have the following picture in my head:

  1. Create a single admin user
  2. For each driver (these are our own drivers, not traccar's) create a new user + a new device for this user
  3. Link the device created in step 2 to the admin user

Then:

  • Whenever I need to track only a specific driver, I will use it's user and create a session, then connect to the WebSocket API and get only its coordinates
  • Whenever I need to track all drivers, I will use the admin user, create a session, connect to the WebSocket API and get coordinates from all linked devices

Are there any flows in my current understanding?

Anton Tananaev3 years ago

Correct. Sounds about right.

Muammar3 years ago

Great! Now let's come to the security side of things, specifically to sessions & cookies.

Let me try to tell what I've understood from the documentation & inspection of demo.traccar.org and then share how everything should be implemented to support my setup.

Requirements

  1. I want to completely hide user interactions with traccar (it significantly improves the UX)
  2. I don't want to leak any user credentials to the frontend (passwords, tokens), because it has a potential risk of using them to track our drivers
  3. Customers should have access to the tracking information via public links only a limited amount of time

Workflows

Right now I have the following vision

Admins

  1. GET request with all necessary information is issued to our web server
  2. Before returning a response, check whether there is a traccar session associated with this admin user. If no, create it via the POST api on the server side and save it to the DB
  3. In the response set JSESSIONID cookie to the obtained value
  4. If a user gets deactivated, issue a DELETE request with the provided cookie and close the session

Customers

  1. GET request with a unique delivery id is issued to our web server
  2. Identify the delivery, check the time constraints and either return 404 or process the request
  3. If a traccar session was not yet created, create it for this specific delivery and save it to the DB
  4. In the response set JSESSIONID cookie to the obtained value
  5. When the delivery is over, close the session

Do you see any flaws or problems here?
The only issue that might arise is whether cookies will be sent correctly, but that could be fixed with the right subdomains, AFAIU.

P.S. Huge thanks for your quick answers!