FIX: the admin sockets now uses a short live to check room authorization

2021-10-28 14:53:07 +02:00 · 2021-10-28 14:53:07 +02:00 · 6c78717d97
parent 4d3bce0266
commit 6c78717d97
2 changed files with 17 additions and 8 deletions
--- a/pusher/src/Controller/IoSocketController.ts
+++ b/pusher/src/Controller/IoSocketController.ts
@ -47,15 +47,19 @@ export class IoSocketController {
                const websocketProtocol = req.getHeader("sec-websocket-protocol");
                const websocketExtensions = req.getHeader("sec-websocket-extensions");
                const token = query.token;
-                if (token !== ADMIN_SOCKETS_TOKEN) {
-                    console.log("Admin access refused for token: " + token);
+                let authorizedRoomIds: string[];
+                try {
+                    const data = jwtTokenManager.verifyAdminSocketToken(token as string);
+                    authorizedRoomIds = data.authorizedRoomIds;
+                } catch (e) {
+                    console.error("Admin access refused for token: " + token);
                    res.writeStatus("401 Unauthorized").end("Incorrect token");
                    return;
                }
                const roomId = query.roomId;
-                if (typeof roomId !== "string") {
-                    console.error("Received");
-                    res.writeStatus("400 Bad Request").end("Missing room id");
+                if (typeof roomId !== "string" || !authorizedRoomIds.includes(roomId)) {
+                    console.error("Invalid room id");
+                    res.writeStatus("403 Bad Request").end("Invalid room id");
                    return;
                }

@ -69,8 +73,6 @@ export class IoSocketController {
            },
            message: (ws, arrayBuffer, isBinary): void => {
                try {
-                    const roomId = ws.roomId as string;
-
                    //TODO refactor message type and data
                    const message: { event: string; message: { type: string; message: unknown; userUuid: string } } =
                        JSON.parse(new TextDecoder("utf-8").decode(new Uint8Array(arrayBuffer)));
--- a/pusher/src/Services/JWTTokenManager.ts
+++ b/pusher/src/Services/JWTTokenManager.ts
@ -1,4 +1,4 @@
-import { ADMIN_API_URL, ALLOW_ARTILLERY, SECRET_KEY } from "../Enum/EnvironmentVariable";
+import { ADMIN_API_URL, ADMIN_SOCKETS_TOKEN, ALLOW_ARTILLERY, SECRET_KEY } from "../Enum/EnvironmentVariable";
 import { uuid } from "uuidv4";
 import Jwt, { verify } from "jsonwebtoken";
 import { TokenInterface } from "../Controller/AuthenticateController";
@ -8,9 +8,16 @@ export interface AuthTokenData {
    identifier: string; //will be a email if logged in or an uuid if anonymous
    hydraAccessToken?: string;
 }
+export interface AdminSocketTokenData {
+    authorizedRoomIds: string[]; //the list of rooms the client is authorized to read from.
+}
 export const tokenInvalidException = "tokenInvalid";

 class JWTTokenManager {
+    public verifyAdminSocketToken(token: string): AdminSocketTokenData {
+        return Jwt.verify(token, ADMIN_SOCKETS_TOKEN) as AdminSocketTokenData;
+    }
+
    public createAuthToken(identifier: string, hydraAccessToken?: string) {
        return Jwt.sign({ identifier, hydraAccessToken }, SECRET_KEY, { expiresIn: "30d" });
    }