Mqtt client's connect behavior when pub/sub to an unauthorized topic

Hello all!

We are working on a setup where the mqtt broker (vernemq) authorizes the user/client_id on publishing/subscribing
certain topics (using broker's ACL). When the topic does not exist in the ACL or the user/client_id is not authorized to publish or subscrite the topic, the broker then disconnects the client, and that's the right behavior.

But we are facing a problem when we send a invalid or unauthorized topic to the broker, as it disconnects all
mqtt in/out nodes using the same connection to the broker. Futher, all mqtt in/out nodes keep trying to connect/send their messages including the one with invalid topic and thus it creates and infinite loop.

Is there anything that can be done to avoid this behavior ?

Thanks all in advance.

node-red version 3.02 running on windows 11
vernemq v.1.12.6.2 running on docker

Does Vernemq have a free online public MQTT broker where I can test this? (like hive, eclipse, emqx etc: online brokers for IoT testing and Prototyping OR can you provide an MQTT hostname/client details for testing?

Question: Are you setting up node-red to V3.11 or V5 protocol?

Hi Steve

I think you can use any broker that supports authentication/authorization.

We are using v.3.11, but have the same behavior using mqtt v5.

Thank u

If you want a separate connection for each mqtt node, which I think is what you are asking for, then I think you will have to create a new server config node for each mqtt node.

What do you see in NR STDOUT / LOGs when the disconnection occurs? For both V3.1 and V5?

The reason I ask is due to the sqecification and how well a broker adheres. If I remember correctly when working on the MQTT nodes for V5, the correct result in attempting to subscribe to a protected topic is to disconnect with a reason code of 135 or 144 (see spec)

This is a known (unanswered) issue: bad topic causes disconnect event but then tries to resend on auto reconnect resulting in continuous error · Issue #1402 · mqttjs/MQTT.js · GitHub

1 Like

Just the typical connect/disconnect messages:

25 Jan 14:27:00 - [info] [mqtt-broker:vernemq@xxxxxx] Connected to broker: nr-dev-klauss@mqtts://xxxxxxx:8884
25 Jan 14:27:14 - [info] [mqtt-broker:vernemq@xxxxxx] Disconnected from broker: nr-dev-klauss@mqtts://nxxxxx:8884

I will try to capture the packages or if there are some other way to show more verbose messages, please let me know!

Thank You!

I'm thinking to use the status node to monitor the state of the connection and then send a "connect" command to "break" the loop (it worked manually , until it receives the unauthorized/invalid topic again). Not sure if it is an elegant way to solve it.

Not sure apart from "don't send invalid topics" - and just to clarify, you mean topics that are "protected" (not badly formatted topics right?)

As suggested by @Colin if all mqtt nodes are using the same configuration node as you explain in the 1st email, then all in/out are sharing the same client_id. VerneMQ disconnection is based on the client_id. So, if one is doing something dodgy then the client_id is "banned" (that is disconnected).

If there is a risk that one mqtt out is behaving badly, then, you can create multiple config nodes to the same broker and only this one will be affected.

It does not... However, for test purposes you can use the docker image available here: Docker