Added anonymous/private logic

This commit is contained in:
Chris 2024-03-11 00:36:34 +01:00
parent d05d2e13e3
commit 88bf239eb1
6 changed files with 49 additions and 19 deletions

View File

@ -2,12 +2,15 @@
namespace NoccyLabs\Mercureact\Broker; namespace NoccyLabs\Mercureact\Broker;
use NoccyLabs\SimpleJWT\JWTToken;
use Psr\Http\Message\ServerRequestInterface;
use React\Stream\WritableStreamInterface; use React\Stream\WritableStreamInterface;
class SseSubscriber implements SubscriberInterface class SseSubscriber implements SubscriberInterface
{ {
public function __construct( public function __construct(
private WritableStreamInterface $stream private WritableStreamInterface $stream,
private ServerRequestInterface $request,
) )
{ {
} }
@ -17,8 +20,8 @@ class SseSubscriber implements SubscriberInterface
$this->stream->write($message->toString()); $this->stream->write($message->toString());
} }
public function isAuthorized(string $topics): bool public function isAuthorized(): bool
{ {
return true; return $this->request->getAttribute('authorization') instanceof JWTToken;
} }
} }

View File

@ -6,5 +6,5 @@ interface SubscriberInterface
{ {
public function deliver(Message $message): void; public function deliver(Message $message): void;
public function isAuthorized(string $topics): bool; public function isAuthorized(): bool;
} }

View File

@ -29,9 +29,17 @@ class Topic
public function publish(Message $message) public function publish(Message $message)
{ {
// TODO check if message id has already been published // TODO check if message id has already been published
if (isset($this->messages[$message->id])) return;
$this->messages[$message->id] = $message;
foreach ($this->subscribers as $subscriber) { foreach ($this->subscribers as $subscriber) {
// Deliver to all subscribers // Skip sending private messages to unauthorized subscribers
if ($message->private && !$subscriber->isAuthorized()) {
continue;
}
// Deliver to the subscriber
$subscriber->deliver($message); $subscriber->deliver($message);
} }
} }

View File

@ -34,7 +34,6 @@ class TopicManager
public function subscribe(SubscriberInterface $subscriber, array $topics): void public function subscribe(SubscriberInterface $subscriber, array $topics): void
{ {
foreach ($topics as $topic) { foreach ($topics as $topic) {
if ($subscriber->isAuthorized($topic))
$this->getTopic($topic)->addSubscriber($subscriber); $this->getTopic($topic)->addSubscriber($subscriber);
} }
$this->subscribers->attach($subscriber); $this->subscribers->attach($subscriber);

View File

@ -94,7 +94,21 @@ class MercureHandler
); );
[ $name, $value ] = array_map('urldecode', explode("=", $param, 2)); [ $name, $value ] = array_map('urldecode', explode("=", $param, 2));
if ($name === 'topic') $topics[] = $value; if ($name === 'topic') $topics[] = $value;
// TODO check claims for access }
// Grab the JWT token from the requests authorization attribute
$tok = $request->getAttribute('authorization');
if ($tok instanceof JWTToken) {
$claims = $tok->claims->getAll();
if (isset($claims['mercure']['subscribe'])) {
$subscribeClaims = $claims['mercure']['subscribe'];
// TODO check topic against publishClaims
if (!$this->checkTopicClaims($topics, $subscribeClaims)) {
throw new SecurityException("Insufficient permissions for subscribe", SecurityException::ERR_NO_PERMISSION);
}
}
} else {
// TODO add option to allow/disallow anonymous acess. should still respect
} }
$this->topicManager->subscribe($subscriber, $topics); $this->topicManager->subscribe($subscriber, $topics);
@ -142,13 +156,17 @@ class MercureHandler
$claims = $tok->claims->getAll(); $claims = $tok->claims->getAll();
if (isset($claims['mercure']['publish'])) { if (isset($claims['mercure']['publish'])) {
$publishClaims = $claims['mercure']['publish']; $publishClaims = $claims['mercure']['publish'];
// TODO check topic against publishClaims // check topic against publishClaims
if (!$this->checkTopicClaims($data['topic']??[], $publishClaims)) { if (!$this->checkTopicClaims($data['topic']??[], $publishClaims)) {
throw new SecurityException("Insufficient permissions for publish", SecurityException::ERR_NO_PERMISSION); throw new SecurityException("Insufficient permissions for publish", SecurityException::ERR_NO_PERMISSION);
} }
} }
} else { } else {
// FIXME reject if access denied // reject if access denied
throw new SecurityException(
message: "Access denied",
code: SecurityException::ERR_ACCESS_DENIED
);
} }
// Put an id in there if none already // Put an id in there if none already
@ -167,17 +185,19 @@ class MercureHandler
return Response::plaintext("urn:uuid:".$message->id."\n"); return Response::plaintext("urn:uuid:".$message->id."\n");
} }
private function checkTopicClaims(string|array $topic, array $claims, bool $all=false): bool private function checkTopicClaims(string|array $topic, array $claims): bool
{ {
// TODO match all topics if $all, reject on mismatch $matched = 0;
foreach ((array)$topic as $match) { foreach ((array)$topic as $match) {
foreach ($claims as $claim) { foreach ($claims as $claim) {
if ($claim === "*") return true; // TODO implement matching of URI Templates
if ($claim === $match) return true; if (($claim === "*") || ($claim === $match)) {
// TODO implement full matching $matched++;
break;
} }
} }
return false; }
return ($matched == count($topic));
} }
/** /**

View File

@ -3,7 +3,7 @@
namespace NoccyLabs\Mercureact\Http\Middleware; namespace NoccyLabs\Mercureact\Http\Middleware;
use NoccyLabs\Mercureact\Configuration; use NoccyLabs\Mercureact\Configuration;
use NoccyLabs\Mercureact\Http\Exeption\SecurityException; use NoccyLabs\Mercureact\Http\Exception\SecurityException;
use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Message\ServerRequestInterface;
use React\Http\Message\Response; use React\Http\Message\Response;
@ -68,8 +68,8 @@ class ResponseMiddleware
strlen($response->getBody()) strlen($response->getBody())
); );
return $response return $response
->withAddedHeader('Link', '<https://'.$host.'/.well-known/mercure>; rel="mercure"') // ->withAddedHeader('Link', '<https://'.$host.'/.well-known/mercure>; rel="mercure"')
->withAddedHeader('Link', '<wss://'.$host.'/.well-known/mercure>; rel="mercure+ws"') // ->withAddedHeader('Link', '<wss://'.$host.'/.well-known/mercure>; rel="mercure+ws"')
->withHeader('Access-Control-Allow-Origin', '*') ->withHeader('Access-Control-Allow-Origin', '*')
->withHeader('Content-Security-Policy', "default-src * 'self' http: 'unsafe-eval' 'unsafe-inline'; connect-src * 'self'") ->withHeader('Content-Security-Policy', "default-src * 'self' http: 'unsafe-eval' 'unsafe-inline'; connect-src * 'self'")
->withHeader('Cache-Control', 'must-revalidate') ->withHeader('Cache-Control', 'must-revalidate')