Hi @fordicuso ,
Q1. Let's assume an abusive client has figured out the name of a hub method. Then it can attempt to call an existing hub method even though the arguments aren't correct.
It will check if it have the same method name and the arguments for the method.
Q2. What is the response at the server-side when the name of the hub method is correct but the arguments do not follow the specification?
It will have error message: Microsoft.AspNetCore.SignalR.HubException: Failed to invoke 'SendMessage' due to an error on the server.
Q3. I wanted to monitor such potentially abusive access to enhance security. Is there a way that I can detect such access?
Each client connecting to the hub is passed a unique connection ID.You can use the OnConnected, OnDisconnected and OnReconnected methods of the Hub class to track user connection status.
Q4. Can there be a case where a hub method is actually invoked at the server-side but the delivered arguments unintentionally mismatch the specification of the method due to a packet loss, etc?
It's impossible.
Q5. Is there a generally suggested way to deal with a potential security breach using SignalR?
If you want to restrict access to it you need to authenticate users and authorize their actions. You authenticate using standard web auth methods (forms auth, cookies, Windows auth, etc.) and you can authorize in code using SignalR constructs (like the Authorize attribute you point out) or with your own code.
Best regards,
Yijing Sun
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.