Merge pull request #386 from HeyPuter/eric/socket-auth

fix(security): Move token for socket.io to request body
This commit is contained in:
Eric Dubé 2024-05-16 18:02:12 -04:00 committed by GitHub
commit 6fe126ad5a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 6 additions and 6 deletions

View File

@ -1146,8 +1146,8 @@ async function jwt_auth(req){
else if(req.query && req.query.auth_token) else if(req.query && req.query.auth_token)
token = req.query.auth_token; token = req.query.auth_token;
// Socket // Socket
else if(req.handshake && req.handshake.query && req.handshake.query.auth_token) else if(req.handshake && req.handshake.auth && req.handshake.auth.auth_token)
token = req.handshake.query.auth_token; token = req.handshake.auth.auth_token;
if(!token || token === 'null') if(!token || token === 'null')
throw('No auth token found'); throw('No auth token found');

View File

@ -158,7 +158,7 @@ class WebServerService extends BaseService {
// Socket.io middleware for authentication // Socket.io middleware for authentication
socketio.use(async (socket, next) => { socketio.use(async (socket, next) => {
if (socket.handshake.query.auth_token) { if (socket.handshake.auth.auth_token) {
try { try {
let auth_res = await jwt_auth(socket); let auth_res = await jwt_auth(socket);
// successful auth // successful auth
@ -168,7 +168,7 @@ class WebServerService extends BaseService {
socket.join(socket.user.id); socket.join(socket.user.id);
next(); next();
} catch (e) { } catch (e) {
console.log('socket auth err'); console.log('socket auth err', e);
} }
} }
}); });

View File

@ -65,7 +65,7 @@ class FileSystem{
} }
this.socket = io(this.APIOrigin, { this.socket = io(this.APIOrigin, {
query: { auth: {
auth_token: this.authToken, auth_token: this.authToken,
} }
}); });

View File

@ -43,7 +43,7 @@ async function UIDesktop(options){
// connect socket. // connect socket.
window.socket = io(window.gui_origin + '/', { window.socket = io(window.gui_origin + '/', {
query: { auth: {
auth_token: window.auth_token auth_token: window.auth_token
} }
}); });