Websocket auth

2021-02-02 12:06:28 -08:00 · 2021-02-02 12:06:28 -08:00 · b3e660d354
commit b3e660d354
parent 12846ccc38
5 changed files with 211 additions and 95 deletions
--- a/server/app/blocks_test.go
+++ b/server/app/blocks_test.go
@ -5,6 +5,7 @@ import (
 	"testing"

 	"github.com/golang/mock/gomock"
+	"github.com/mattermost/focalboard/server/auth"
 	"github.com/mattermost/focalboard/server/services/config"
 	"github.com/mattermost/focalboard/server/services/store/mockstore"
 	"github.com/mattermost/focalboard/server/services/webhook"
@ -13,12 +14,17 @@ import (
 	"github.com/stretchr/testify/require"
 )

+func isValidSessionToken(token string) bool {
+	return true
+}
+
 func TestGetParentID(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	cfg := config.Configuration{}
 	store := mockstore.NewMockStore(ctrl)
-	wsserver := ws.NewServer()
+	auth := auth.New(&cfg, store)
+	wsserver := ws.NewServer(auth, true)
 	webhook := webhook.NewClient(&cfg)
 	app := New(&cfg, store, wsserver, &mocks.FileBackend{}, webhook)

--- a/server/auth/auth.go
+++ b/server/auth/auth.go
@ -0,0 +1,37 @@
+package auth
+
+import (
+	"time"
+
+	"github.com/mattermost/focalboard/server/model"
+	"github.com/mattermost/focalboard/server/services/config"
+	"github.com/mattermost/focalboard/server/services/store"
+	"github.com/pkg/errors"
+)
+
+// Auth authenticates sessions
+type Auth struct {
+	config *config.Configuration
+	store  store.Store
+}
+
+// New returns a new Auth
+func New(config *config.Configuration, store store.Store) *Auth {
+	return &Auth{config: config, store: store}
+}
+
+// GetSession Get a user active session and refresh the session if is needed
+func (a *Auth) GetSession(token string) (*model.Session, error) {
+	if len(token) < 1 {
+		return nil, errors.New("no session token")
+	}
+
+	session, err := a.store.GetSession(token, a.config.SessionExpireTime)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to get the session for the token")
+	}
+	if session.UpdateAt < (time.Now().Unix() - a.config.SessionRefreshTime) {
+		a.store.RefreshSession(session)
+	}
+	return session, nil
+}
--- a/server/server/server.go
+++ b/server/server/server.go
@ -17,6 +17,7 @@ import (

 	"github.com/mattermost/focalboard/server/api"
 	"github.com/mattermost/focalboard/server/app"
+	"github.com/mattermost/focalboard/server/auth"
 	"github.com/mattermost/focalboard/server/context"
 	appModel "github.com/mattermost/focalboard/server/model"
 	"github.com/mattermost/focalboard/server/services/config"
@ -60,7 +61,9 @@ func New(cfg *config.Configuration, singleUser bool) (*Server, error) {
 		return nil, err
 	}

-	wsServer := ws.NewServer()
+	auth := auth.New(cfg, store)
+
+	wsServer := ws.NewServer(auth, singleUser)

 	filesBackendSettings := model.FileSettings{}
 	filesBackendSettings.SetDefaults(false)
--- a/server/ws/websockets.go
+++ b/server/ws/websockets.go
@ -9,95 +9,20 @@ import (

 	"github.com/gorilla/mux"
 	"github.com/gorilla/websocket"
+	"github.com/mattermost/focalboard/server/auth"
 	"github.com/mattermost/focalboard/server/model"
 )

-// RegisterRoutes registers routes.
-func (ws *Server) RegisterRoutes(r *mux.Router) {
-	r.HandleFunc("/ws/onchange", ws.handleWebSocketOnChange)
-}
-
-// AddListener adds a listener for a block's change.
-func (ws *Server) AddListener(client *websocket.Conn, blockIDs []string) {
-	ws.mu.Lock()
-	for _, blockID := range blockIDs {
-		if ws.listeners[blockID] == nil {
-			ws.listeners[blockID] = []*websocket.Conn{}
-		}
-
-		ws.listeners[blockID] = append(ws.listeners[blockID], client)
-	}
-	ws.mu.Unlock()
-}
-
-// RemoveListener removes a webSocket listener from all blocks.
-func (ws *Server) RemoveListener(client *websocket.Conn) {
-	ws.mu.Lock()
-	for key, clients := range ws.listeners {
-		listeners := []*websocket.Conn{}
-
-		for _, existingClient := range clients {
-			if client != existingClient {
-				listeners = append(listeners, existingClient)
-			}
-		}
-
-		ws.listeners[key] = listeners
-	}
-	ws.mu.Unlock()
-}
-
-// RemoveListenerFromBlocks removes a webSocket listener from a set of block.
-func (ws *Server) RemoveListenerFromBlocks(client *websocket.Conn, blockIDs []string) {
-	ws.mu.Lock()
-
-	for _, blockID := range blockIDs {
-		listeners := ws.listeners[blockID]
-		if listeners == nil {
-			return
-		}
-
-		// Remove the first instance of this client that's listening to this block
-		// Note: A client can listen multiple times to the same block
-		for index, listener := range listeners {
-			if client == listener {
-				newListeners := append(listeners[:index], listeners[index+1:]...)
-				ws.listeners[blockID] = newListeners
-
-				break
-			}
-		}
-	}
-
-	ws.mu.Unlock()
-}
-
-// GetListeners returns the listeners to a blockID's changes.
-func (ws *Server) GetListeners(blockID string) []*websocket.Conn {
-	ws.mu.Lock()
-	listeners := ws.listeners[blockID]
-	ws.mu.Unlock()
-
-	return listeners
-}
+// IsValidSessionToken authenticates session tokens
+type IsValidSessionToken func(token string) bool

 // Server is a WebSocket server.
 type Server struct {
-	upgrader  websocket.Upgrader
-	listeners map[string][]*websocket.Conn
-	mu        sync.RWMutex
-}
-
-// NewServer creates a new Server.
-func NewServer() *Server {
-	return &Server{
-		listeners: make(map[string][]*websocket.Conn),
-		upgrader: websocket.Upgrader{
-			CheckOrigin: func(r *http.Request) bool {
-				return true
-			},
-		},
-	}
+	upgrader   websocket.Upgrader
+	listeners  map[string][]*websocket.Conn
+	mu         sync.RWMutex
+	auth       *auth.Auth
+	singleUser bool
 }

 // UpdateMsg is sent on block updates
@ -109,9 +34,34 @@ type UpdateMsg struct {
 // WebsocketCommand is an incoming command from the client.
 type WebsocketCommand struct {
 	Action   string   `json:"action"`
+	Token    string   `json:"token"`
 	BlockIDs []string `json:"blockIds"`
 }

+type websocketSession struct {
+	client          *websocket.Conn
+	isAuthenticated bool
+}
+
+// NewServer creates a new Server.
+func NewServer(auth *auth.Auth, singleUser bool) *Server {
+	return &Server{
+		listeners: make(map[string][]*websocket.Conn),
+		upgrader: websocket.Upgrader{
+			CheckOrigin: func(r *http.Request) bool {
+				return true
+			},
+		},
+		auth:       auth,
+		singleUser: singleUser,
+	}
+}
+
+// RegisterRoutes registers routes.
+func (ws *Server) RegisterRoutes(r *mux.Router) {
+	r.HandleFunc("/ws/onchange", ws.handleWebSocketOnChange)
+}
+
 func (ws *Server) handleWebSocketOnChange(w http.ResponseWriter, r *http.Request) {
 	// Upgrade initial GET request to a websocket
 	client, err := ws.upgrader.Upgrade(w, r, nil)
@ -128,17 +78,22 @@ func (ws *Server) handleWebSocketOnChange(w http.ResponseWriter, r *http.Request
 		log.Printf("DISCONNECT WebSocket onChange, client: %s", client.RemoteAddr())

 		// Remove client from listeners
-		ws.RemoveListener(client)
+		ws.removeListener(client)

 		client.Close()
 	}()

+	wsSession := websocketSession{
+		client:          client,
+		isAuthenticated: ws.singleUser,
+	}
+
 	// Simple message handling loop
 	for {
 		_, p, err := client.ReadMessage()
 		if err != nil {
 			log.Printf("ERROR WebSocket onChange, client: %s, err: %v", client.RemoteAddr(), err)
-			ws.RemoveListener(client)
+			ws.removeListener(client)

 			break
 		}
@ -154,13 +109,17 @@ func (ws *Server) handleWebSocketOnChange(w http.ResponseWriter, r *http.Request
 		}

 		switch command.Action {
+		case "AUTH":
+			log.Printf(`Command: AUTH, client: %s`, client.RemoteAddr())
+			ws.authenticateListener(&wsSession, command.Token)
+
 		case "ADD":
 			log.Printf(`Command: Add blockID: %v, client: %s`, command.BlockIDs, client.RemoteAddr())
-			ws.AddListener(client, command.BlockIDs)
+			ws.addListener(&wsSession, command.BlockIDs)

 		case "REMOVE":
 			log.Printf(`Command: Remove blockID: %v, client: %s`, command.BlockIDs, client.RemoteAddr())
-			ws.RemoveListenerFromBlocks(client, command.BlockIDs)
+			ws.removeListenerFromBlocks(&wsSession, command.BlockIDs)

 		default:
 			log.Printf(`ERROR webSocket command, invalid action: %v`, command.Action)
@ -168,6 +127,105 @@ func (ws *Server) handleWebSocketOnChange(w http.ResponseWriter, r *http.Request
 	}
 }

+func (ws *Server) isValidSessionToken(token string) bool {
+	if ws.singleUser {
+		return true
+	}
+
+	session, err := ws.auth.GetSession(token)
+	if session == nil || err != nil {
+		return false
+	}
+
+	return true
+}
+
+func (ws *Server) authenticateListener(wsSession *websocketSession, token string) {
+	isValidSession := ws.isValidSessionToken(token)
+	if !isValidSession {
+		wsSession.client.Close()
+		return
+	}
+
+	// Authenticated
+	wsSession.isAuthenticated = true
+	log.Printf("authenticateListener: Authenticated")
+}
+
+// AddListener adds a listener for a block's change.
+func (ws *Server) addListener(wsSession *websocketSession, blockIDs []string) {
+	if !wsSession.isAuthenticated {
+		log.Printf("addListener: NOT AUTHENTICATED")
+		return
+	}
+
+	ws.mu.Lock()
+	for _, blockID := range blockIDs {
+		if ws.listeners[blockID] == nil {
+			ws.listeners[blockID] = []*websocket.Conn{}
+		}
+
+		ws.listeners[blockID] = append(ws.listeners[blockID], wsSession.client)
+	}
+	ws.mu.Unlock()
+}
+
+// removeListener removes a webSocket listener from all blocks.
+func (ws *Server) removeListener(client *websocket.Conn) {
+	ws.mu.Lock()
+	for key, clients := range ws.listeners {
+		listeners := []*websocket.Conn{}
+
+		for _, existingClient := range clients {
+			if client != existingClient {
+				listeners = append(listeners, existingClient)
+			}
+		}
+
+		ws.listeners[key] = listeners
+	}
+	ws.mu.Unlock()
+}
+
+// removeListenerFromBlocks removes a webSocket listener from a set of block.
+func (ws *Server) removeListenerFromBlocks(wsSession *websocketSession, blockIDs []string) {
+	if !wsSession.isAuthenticated {
+		log.Printf("removeListenerFromBlocks: NOT AUTHENTICATED")
+		return
+	}
+
+	ws.mu.Lock()
+
+	for _, blockID := range blockIDs {
+		listeners := ws.listeners[blockID]
+		if listeners == nil {
+			return
+		}
+
+		// Remove the first instance of this client that's listening to this block
+		// Note: A client can listen multiple times to the same block
+		for index, listener := range listeners {
+			if wsSession.client == listener {
+				newListeners := append(listeners[:index], listeners[index+1:]...)
+				ws.listeners[blockID] = newListeners
+
+				break
+			}
+		}
+	}
+
+	ws.mu.Unlock()
+}
+
+// GetListeners returns the listeners to a blockID's changes.
+func (ws *Server) GetListeners(blockID string) []*websocket.Conn {
+	ws.mu.Lock()
+	listeners := ws.listeners[blockID]
+	ws.mu.Unlock()
+
+	return listeners
+}
+
 // BroadcastBlockDelete broadcasts delete messages to clients
 func (ws *Server) BroadcastBlockDelete(blockID string, parentID string) {
 	now := time.Now().Unix()
--- a/webapp/src/octoListener.ts
+++ b/webapp/src/octoListener.ts
@ -27,6 +27,7 @@ class OctoListener {
    }

    readonly serverUrl: string
+    private token: string
    private ws?: WebSocket
    private blockIds: string[] = []
    private isInitialized = false
@ -38,14 +39,13 @@ class OctoListener {
    notificationDelay = 100
    reopenDelay = 3000

-    constructor(serverUrl?: string) {
+    constructor(serverUrl?: string, token?: string) {
        this.serverUrl = serverUrl || window.location.origin
+        this.token = token || localStorage.getItem('sessionId') || ''
        Utils.log(`OctoListener serverUrl: ${this.serverUrl}`)
    }

    open(blockIds: string[], onChange: OnChangeHandler, onReconnect: () => void): void {
-        let timeoutId: NodeJS.Timeout
-
        if (this.ws) {
            this.close()
        }
@ -61,6 +61,7 @@ class OctoListener {

        ws.onopen = () => {
            Utils.log('OctoListener webSocket opened.')
+            this.authenticate()
            this.addBlocks(blockIds)
            this.isInitialized = true
        }
@ -93,9 +94,6 @@ class OctoListener {
                const message = JSON.parse(e.data) as WSMessage
                switch (message.action) {
                case 'UPDATE_BLOCK':
-                    if (timeoutId) {
-                        clearTimeout(timeoutId)
-                    }
                    Utils.log(`OctoListener update block: ${message.block?.id}`)
                    this.queueUpdateNotification(message.block)
                    break
@ -124,6 +122,20 @@ class OctoListener {
        ws.close()
    }

+    authenticate(): void {
+        if (!this.ws) {
+            Utils.assertFailure('OctoListener.addBlocks: ws is not open')
+            return
+        }
+
+        const command = {
+            action: 'AUTH',
+            token: this.token,
+        }
+
+        this.ws.send(JSON.stringify(command))
+    }
+
    addBlocks(blockIds: string[]): void {
        if (!this.ws) {
            Utils.assertFailure('OctoListener.addBlocks: ws is not open')