Prevent a NATS user from creating durable consumers

[pontus4138]

Hello, I am looking at using NATS as a communication hub for sending notifications to and from browser-based clients over websocket. I want to use jetstream to allow the clients to not only get events but also have access to the event history.

However, I am worried that giving clients that I don't control access to the jetstream API will allow them to create durable consumers that will take up resources on the servers. Thus I am trying to limit a user so it can only create ephemeral consumers. I also have to be able to only allow the user to access specific subjects, my idea for that is the use consumer with a filter for a specific subject. Is this possible? Or is there a better way of managing the durable even if you dont control the client applications that are creating them?

The closest I have gotten is to only allow the user/client to publish to this subject $JS.API.CONSUMER.CREATE.<stream>.*.<subject>. This limits what subjects the user can see, however, this still allows the user to create durable consumers.

In the documentation I also found this subject $JS.API.CONSUMER.CREATE.<stream>, but that does not allow filtering on a subject.

[derekcollison]

Yes, you can add in the allow permission that create extended version you want to allow and disallow the plain $JS.API.CONSUMER.CREATE.<stream>

[pontus4138]

Thanks for the quick answer!

Does this method allow me to restrict which subject a user can consume?
For example, if I have a stream that includes the subject A.> but I want to limit users to only consuming messages from A.B.>. As was possible with the subject in $JS.API.CONSUMER.CREATE.<stream>.<consumer>.<subject>.

[derekcollison]

You can, via delivery subject restrictions for push consumers. For pull consumers, possible but a bit more involved to construct.