UniqAI/hexabot
1
0
Fork 0
mirror of https://github.com/hexastack/hexabot synced 2025-06-26 18:27:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(api): secure web-socket access

Browse Source
This commit is contained in:
yassinedorbozgithub 2024-10-10 19:20:49 +01:00
parent 5681a810aa
commit d3ef4ea448
2 changed files with 39 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
api/src/channel/channel.service.ts
View File

@ -128,6 +128,9 @@ export class ChannelService {
);
if (!req.session?.passport?.user?.id) {
setTimeout(() => {
req.socket.client.conn.close();
}, 300);
throw new UnauthorizedException(
'Only authenticated users are allowed to use this channel',
);

20
api/src/websocket/websocket.gateway.ts
View File

@ -207,6 +207,8 @@ export class WebsocketGateway
// Handle session
this.io.use((client, next) => {
this.logger.verbose('Client connected, attempting to load session.');
try {
const { searchParams } = new URL(`ws://localhost${client.request.url}`);
if (client.request.headers.cookie) {
const cookies = cookie.parse(client.request.headers.cookie);
if (cookies && config.session.name in cookies) {
@ -216,22 +218,34 @@ export class WebsocketGateway
);
if (sessionID) {
return this.loadSession(sessionID, (err, session) => {
if (err) {
if (err || !session) {
this.logger.warn(
'Unable to load session, creating a new one ...',
err,
);
if (searchParams.get('channel') === 'offline') {
return this.createAndStoreSession(client, next);
} else {
return next(new Error('Unauthorized: Unknown session ID'));
}
}
client.data.session = session;
client.data.sessionID = sessionID;
next();
});
} else {
return next(new Error('Unable to parse session ID from cookie'));
}
}
}
} else if (searchParams.get('channel') === 'offline') {
return this.createAndStoreSession(client, next);
} else {
return next(new Error('Unauthorized to connect to WS'));
}
} catch (e) {
this.logger.warn('Something unexpected happening');
return next(e);
}
});
}