Not able to deny subscription to topic "#"

[AlexanderDahmen]

Hello.

I wanted to use Mosquitto to create a multi-user an online application where users can modify data "live" together, similar to Google Docs.
Basically, a lobby system would generate a UUID as a topic name, and the authorized clients should connect to said topic to exchange events.

The problem is that any non-authorized client could just subscribe to "#", and thus get all messages and read all topic names, and subsequently send malicious data to all topics.

I've looked through the ACL and Mosquitto config, but have not been able to find an answer:
Is there any way I can allow subscription to specific topics (in this case UUIDs), but disallow subscription to wildcards in general?

Thank you and have a nice day,
Alexander Dahmen

[ralight]

Once you start using ACLs then anything that doesn't match an ACL is denied.

Your users could subscribe to #, but if they only have access to uuid/topic then they wouldn't be able to see anything other than they are authorised to see. It does sound like you might want a more dynamic authentication system though, so perhaps an authentication plugin might be better for you.