From 6c78717d9790775fb05575ee3dfc02f56b4c484b Mon Sep 17 00:00:00 2001
From: Kharhamel <oognic@gmail.com>
Date: Thu, 28 Oct 2021 14:53:07 +0200
Subject: [PATCH] FIX: the admin sockets now uses a short live to check room
 authorization

---
 pusher/src/Controller/IoSocketController.ts | 16 +++++++++-------
 pusher/src/Services/JWTTokenManager.ts      |  9 ++++++++-
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/pusher/src/Controller/IoSocketController.ts b/pusher/src/Controller/IoSocketController.ts
index c2aded67..7cfd9bd7 100644
--- a/pusher/src/Controller/IoSocketController.ts
+++ b/pusher/src/Controller/IoSocketController.ts
@@ -47,15 +47,19 @@ export class IoSocketController {
                 const websocketProtocol = req.getHeader("sec-websocket-protocol");
                 const websocketExtensions = req.getHeader("sec-websocket-extensions");
                 const token = query.token;
-                if (token !== ADMIN_SOCKETS_TOKEN) {
-                    console.log("Admin access refused for token: " + token);
+                let authorizedRoomIds: string[];
+                try {
+                    const data = jwtTokenManager.verifyAdminSocketToken(token as string);
+                    authorizedRoomIds = data.authorizedRoomIds;
+                } catch (e) {
+                    console.error("Admin access refused for token: " + token);
                     res.writeStatus("401 Unauthorized").end("Incorrect token");
                     return;
                 }
                 const roomId = query.roomId;
-                if (typeof roomId !== "string") {
-                    console.error("Received");
-                    res.writeStatus("400 Bad Request").end("Missing room id");
+                if (typeof roomId !== "string" || !authorizedRoomIds.includes(roomId)) {
+                    console.error("Invalid room id");
+                    res.writeStatus("403 Bad Request").end("Invalid room id");
                     return;
                 }
 
@@ -69,8 +73,6 @@ export class IoSocketController {
             },
             message: (ws, arrayBuffer, isBinary): void => {
                 try {
-                    const roomId = ws.roomId as string;
-
                     //TODO refactor message type and data
                     const message: { event: string; message: { type: string; message: unknown; userUuid: string } } =
                         JSON.parse(new TextDecoder("utf-8").decode(new Uint8Array(arrayBuffer)));
diff --git a/pusher/src/Services/JWTTokenManager.ts b/pusher/src/Services/JWTTokenManager.ts
index 24393084..fe418475 100644
--- a/pusher/src/Services/JWTTokenManager.ts
+++ b/pusher/src/Services/JWTTokenManager.ts
@@ -1,4 +1,4 @@
-import { ADMIN_API_URL, ALLOW_ARTILLERY, SECRET_KEY } from "../Enum/EnvironmentVariable";
+import { ADMIN_API_URL, ADMIN_SOCKETS_TOKEN, ALLOW_ARTILLERY, SECRET_KEY } from "../Enum/EnvironmentVariable";
 import { uuid } from "uuidv4";
 import Jwt, { verify } from "jsonwebtoken";
 import { TokenInterface } from "../Controller/AuthenticateController";
@@ -8,9 +8,16 @@ export interface AuthTokenData {
     identifier: string; //will be a email if logged in or an uuid if anonymous
     hydraAccessToken?: string;
 }
+export interface AdminSocketTokenData {
+    authorizedRoomIds: string[]; //the list of rooms the client is authorized to read from.
+}
 export const tokenInvalidException = "tokenInvalid";
 
 class JWTTokenManager {
+    public verifyAdminSocketToken(token: string): AdminSocketTokenData {
+        return Jwt.verify(token, ADMIN_SOCKETS_TOKEN) as AdminSocketTokenData;
+    }
+
     public createAuthToken(identifier: string, hydraAccessToken?: string) {
         return Jwt.sign({ identifier, hydraAccessToken }, SECRET_KEY, { expiresIn: "30d" });
     }