Secure server resources based on location
Device context data can tell you whether a user's device is connected to a secure network. If it is not connected, the device context can tell you whether the device is within a required geofence. This data can be used to restrict access to sensitive information or to prevent running specific program logic. It can also be used to require that additional authentication mechanisms, such as one-time pads, be used.
In many environments it is important to ensure that sensitive resources are secure, but can be are accessed by authorized users who are on site. Use the WL.Server.getClientDeviceContext API to obtain a device context from an authorized user. Then validate the device context by checking whether a user's device is connected to a secure network, or is within a designated required geofence.
For example, in a hospital, patient records must be secure and confidential, but must be accessible by authorized personnel such as doctors and nurses.
- While the acquisition is running, the device context reflects the most up-to-date information regarding the user's location. The user's device context is transparently synchronized to the server, so that WL.Device.getContext and WL.Server.getClientDeviceContext return the same result.
The developer must call WL.Device.startAcquisition to benefit from the synchronization and validation. Until the developer calls WL.Device.startAcquisition, the result is null.
- Based on the information in the device context, the adapter logic can check whether the user is connected to a specific network. Additionally, using the WL.Geo functions, the adapter logic can validate whether the user is in a specific, required geographical location.
Example
This example performs the following tasks:
- An attempt is made to verify the location. The device context information is acquired, using both Geo and WiFi data. A check is made to ensure that the data is current (acquired within the last 5 minutes), and that the device is within the area defined by the legalPolygon variable. Time calculations are done using UTC time.
- If the location cannot be verified, the message not in an authorized location is thrown.
- If the location is verified, further processing takes place.
var legalPolygon = loadFromDB(); var secureNetworks = ['Secure1', 'Secure2']; function loadFromDB() { // invoke Cast Iron or load from a database, etc. // for this example: showing a triangle return [{longitude: 0, latitude: 1}, {longitude: 1, latitude: 0}, {longitude: -1, latitude: 0}]; } function verifyLocation() { // get the server's copy of the client's device context var deviceContext = WL.Server.getClientDeviceContext(); if (deviceContext == null) throw 'acquisition not started'; // is the device connected to a WiFi access point? if (deviceContext.Wifi && deviceContext.Wifi.connectedAccessPoint) { // is the connected access point a secure one? if (secureNetworks.indexOf(deviceContext.Wifi.connectedAccessPoint.SSID) >= 0) return; // has a geolocation been acquired? if (deviceContext.Geo && deviceContext.Geo.coords) { // verify the information: var timestamp = deviceContext.Geo.timestamp; var offset = deviceContext.timezoneOffset; var utcTime = timestamp + offset; var now = new Date(); var nowTime = now.getTime() + now.getTimezoneOffset(); if (nowTime - utcTime <= 5*60000) { // time is within last 5 minutes if (WL.Geo.isInsidePolygon(deviceContext.Geo.coords, legalPolygon)) return; } throw 'not in an authorized location'; } function aProcedure() { verifyLocation(); // rest of logic: // ... }
Parent topic: Location services