Added anonymous/private logic
This commit is contained in:
parent
d05d2e13e3
commit
88bf239eb1
@ -2,12 +2,15 @@
|
|||||||
|
|
||||||
namespace NoccyLabs\Mercureact\Broker;
|
namespace NoccyLabs\Mercureact\Broker;
|
||||||
|
|
||||||
|
use NoccyLabs\SimpleJWT\JWTToken;
|
||||||
|
use Psr\Http\Message\ServerRequestInterface;
|
||||||
use React\Stream\WritableStreamInterface;
|
use React\Stream\WritableStreamInterface;
|
||||||
|
|
||||||
class SseSubscriber implements SubscriberInterface
|
class SseSubscriber implements SubscriberInterface
|
||||||
{
|
{
|
||||||
public function __construct(
|
public function __construct(
|
||||||
private WritableStreamInterface $stream
|
private WritableStreamInterface $stream,
|
||||||
|
private ServerRequestInterface $request,
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
@ -17,8 +20,8 @@ class SseSubscriber implements SubscriberInterface
|
|||||||
$this->stream->write($message->toString());
|
$this->stream->write($message->toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
public function isAuthorized(string $topics): bool
|
public function isAuthorized(): bool
|
||||||
{
|
{
|
||||||
return true;
|
return $this->request->getAttribute('authorization') instanceof JWTToken;
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -6,5 +6,5 @@ interface SubscriberInterface
|
|||||||
{
|
{
|
||||||
public function deliver(Message $message): void;
|
public function deliver(Message $message): void;
|
||||||
|
|
||||||
public function isAuthorized(string $topics): bool;
|
public function isAuthorized(): bool;
|
||||||
}
|
}
|
@ -29,9 +29,17 @@ class Topic
|
|||||||
public function publish(Message $message)
|
public function publish(Message $message)
|
||||||
{
|
{
|
||||||
// TODO check if message id has already been published
|
// TODO check if message id has already been published
|
||||||
|
if (isset($this->messages[$message->id])) return;
|
||||||
|
|
||||||
|
$this->messages[$message->id] = $message;
|
||||||
|
|
||||||
|
|
||||||
foreach ($this->subscribers as $subscriber) {
|
foreach ($this->subscribers as $subscriber) {
|
||||||
// Deliver to all subscribers
|
// Skip sending private messages to unauthorized subscribers
|
||||||
|
if ($message->private && !$subscriber->isAuthorized()) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
// Deliver to the subscriber
|
||||||
$subscriber->deliver($message);
|
$subscriber->deliver($message);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -34,7 +34,6 @@ class TopicManager
|
|||||||
public function subscribe(SubscriberInterface $subscriber, array $topics): void
|
public function subscribe(SubscriberInterface $subscriber, array $topics): void
|
||||||
{
|
{
|
||||||
foreach ($topics as $topic) {
|
foreach ($topics as $topic) {
|
||||||
if ($subscriber->isAuthorized($topic))
|
|
||||||
$this->getTopic($topic)->addSubscriber($subscriber);
|
$this->getTopic($topic)->addSubscriber($subscriber);
|
||||||
}
|
}
|
||||||
$this->subscribers->attach($subscriber);
|
$this->subscribers->attach($subscriber);
|
||||||
|
@ -94,7 +94,21 @@ class MercureHandler
|
|||||||
);
|
);
|
||||||
[ $name, $value ] = array_map('urldecode', explode("=", $param, 2));
|
[ $name, $value ] = array_map('urldecode', explode("=", $param, 2));
|
||||||
if ($name === 'topic') $topics[] = $value;
|
if ($name === 'topic') $topics[] = $value;
|
||||||
// TODO check claims for access
|
}
|
||||||
|
|
||||||
|
// Grab the JWT token from the requests authorization attribute
|
||||||
|
$tok = $request->getAttribute('authorization');
|
||||||
|
if ($tok instanceof JWTToken) {
|
||||||
|
$claims = $tok->claims->getAll();
|
||||||
|
if (isset($claims['mercure']['subscribe'])) {
|
||||||
|
$subscribeClaims = $claims['mercure']['subscribe'];
|
||||||
|
// TODO check topic against publishClaims
|
||||||
|
if (!$this->checkTopicClaims($topics, $subscribeClaims)) {
|
||||||
|
throw new SecurityException("Insufficient permissions for subscribe", SecurityException::ERR_NO_PERMISSION);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// TODO add option to allow/disallow anonymous acess. should still respect
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->topicManager->subscribe($subscriber, $topics);
|
$this->topicManager->subscribe($subscriber, $topics);
|
||||||
@ -142,13 +156,17 @@ class MercureHandler
|
|||||||
$claims = $tok->claims->getAll();
|
$claims = $tok->claims->getAll();
|
||||||
if (isset($claims['mercure']['publish'])) {
|
if (isset($claims['mercure']['publish'])) {
|
||||||
$publishClaims = $claims['mercure']['publish'];
|
$publishClaims = $claims['mercure']['publish'];
|
||||||
// TODO check topic against publishClaims
|
// check topic against publishClaims
|
||||||
if (!$this->checkTopicClaims($data['topic']??[], $publishClaims)) {
|
if (!$this->checkTopicClaims($data['topic']??[], $publishClaims)) {
|
||||||
throw new SecurityException("Insufficient permissions for publish", SecurityException::ERR_NO_PERMISSION);
|
throw new SecurityException("Insufficient permissions for publish", SecurityException::ERR_NO_PERMISSION);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// FIXME reject if access denied
|
// reject if access denied
|
||||||
|
throw new SecurityException(
|
||||||
|
message: "Access denied",
|
||||||
|
code: SecurityException::ERR_ACCESS_DENIED
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Put an id in there if none already
|
// Put an id in there if none already
|
||||||
@ -167,17 +185,19 @@ class MercureHandler
|
|||||||
return Response::plaintext("urn:uuid:".$message->id."\n");
|
return Response::plaintext("urn:uuid:".$message->id."\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
private function checkTopicClaims(string|array $topic, array $claims, bool $all=false): bool
|
private function checkTopicClaims(string|array $topic, array $claims): bool
|
||||||
{
|
{
|
||||||
// TODO match all topics if $all, reject on mismatch
|
$matched = 0;
|
||||||
foreach ((array)$topic as $match) {
|
foreach ((array)$topic as $match) {
|
||||||
foreach ($claims as $claim) {
|
foreach ($claims as $claim) {
|
||||||
if ($claim === "*") return true;
|
// TODO implement matching of URI Templates
|
||||||
if ($claim === $match) return true;
|
if (($claim === "*") || ($claim === $match)) {
|
||||||
// TODO implement full matching
|
$matched++;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return false;
|
}
|
||||||
|
return ($matched == count($topic));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
namespace NoccyLabs\Mercureact\Http\Middleware;
|
namespace NoccyLabs\Mercureact\Http\Middleware;
|
||||||
|
|
||||||
use NoccyLabs\Mercureact\Configuration;
|
use NoccyLabs\Mercureact\Configuration;
|
||||||
use NoccyLabs\Mercureact\Http\Exeption\SecurityException;
|
use NoccyLabs\Mercureact\Http\Exception\SecurityException;
|
||||||
use Psr\Http\Message\ResponseInterface;
|
use Psr\Http\Message\ResponseInterface;
|
||||||
use Psr\Http\Message\ServerRequestInterface;
|
use Psr\Http\Message\ServerRequestInterface;
|
||||||
use React\Http\Message\Response;
|
use React\Http\Message\Response;
|
||||||
@ -68,8 +68,8 @@ class ResponseMiddleware
|
|||||||
strlen($response->getBody())
|
strlen($response->getBody())
|
||||||
);
|
);
|
||||||
return $response
|
return $response
|
||||||
->withAddedHeader('Link', '<https://'.$host.'/.well-known/mercure>; rel="mercure"')
|
// ->withAddedHeader('Link', '<https://'.$host.'/.well-known/mercure>; rel="mercure"')
|
||||||
->withAddedHeader('Link', '<wss://'.$host.'/.well-known/mercure>; rel="mercure+ws"')
|
// ->withAddedHeader('Link', '<wss://'.$host.'/.well-known/mercure>; rel="mercure+ws"')
|
||||||
->withHeader('Access-Control-Allow-Origin', '*')
|
->withHeader('Access-Control-Allow-Origin', '*')
|
||||||
->withHeader('Content-Security-Policy', "default-src * 'self' http: 'unsafe-eval' 'unsafe-inline'; connect-src * 'self'")
|
->withHeader('Content-Security-Policy', "default-src * 'self' http: 'unsafe-eval' 'unsafe-inline'; connect-src * 'self'")
|
||||||
->withHeader('Cache-Control', 'must-revalidate')
|
->withHeader('Cache-Control', 'must-revalidate')
|
||||||
|
Loading…
Reference in New Issue
Block a user