websockets: decode jwts on authorized connections
Unix sockets never require authentication and it is possible for Websocket connections to authenticate with the request itself. In these cases the `identify` endpoint must still process an access_token if provided, as it allows the front end to assign the desired user to the connection. Signed-off-by: Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
parent
80862799ed
commit
a5161816a7
|
@ -367,7 +367,7 @@ class WebsocketManager(APITransport):
|
||||||
) -> RPCCallback:
|
) -> RPCCallback:
|
||||||
async def func(args: Dict[str, Any]) -> Any:
|
async def func(args: Dict[str, Any]) -> Any:
|
||||||
sc: BaseSocketClient = args.pop("_socket_")
|
sc: BaseSocketClient = args.pop("_socket_")
|
||||||
sc.authenticate(path=endpoint)
|
sc.check_authenticated(path=endpoint)
|
||||||
result = await callback(
|
result = await callback(
|
||||||
WebRequest(endpoint, args, request_method, sc,
|
WebRequest(endpoint, args, request_method, sc,
|
||||||
ip_addr=sc.ip_addr, user=sc.user_info))
|
ip_addr=sc.ip_addr, user=sc.user_info))
|
||||||
|
@ -376,7 +376,7 @@ class WebsocketManager(APITransport):
|
||||||
|
|
||||||
async def _handle_id_request(self, args: Dict[str, Any]) -> Dict[str, int]:
|
async def _handle_id_request(self, args: Dict[str, Any]) -> Dict[str, int]:
|
||||||
sc: BaseSocketClient = args["_socket_"]
|
sc: BaseSocketClient = args["_socket_"]
|
||||||
sc.authenticate()
|
sc.check_authenticated()
|
||||||
return {'websocket_id': sc.uid}
|
return {'websocket_id': sc.uid}
|
||||||
|
|
||||||
async def _handle_identify(self, args: Dict[str, Any]) -> Dict[str, int]:
|
async def _handle_identify(self, args: Dict[str, Any]) -> Dict[str, int]:
|
||||||
|
@ -585,20 +585,27 @@ class BaseSocketClient(Subscribable):
|
||||||
self.eventloop.register_callback(self._write_messages)
|
self.eventloop.register_callback(self._write_messages)
|
||||||
|
|
||||||
def authenticate(
|
def authenticate(
|
||||||
self, path: str = "",
|
self,
|
||||||
token: Optional[str] = None,
|
token: Optional[str] = None,
|
||||||
api_key: Optional[str] = None
|
api_key: Optional[str] = None
|
||||||
) -> None:
|
) -> None:
|
||||||
if not self._need_auth:
|
|
||||||
return
|
|
||||||
auth: AuthComp = self.server.lookup_component("authorization", None)
|
auth: AuthComp = self.server.lookup_component("authorization", None)
|
||||||
if auth is None:
|
if auth is None:
|
||||||
return
|
return
|
||||||
if token is not None:
|
if token is not None:
|
||||||
self.user_info = auth.validate_jwt(token)
|
self.user_info = auth.validate_jwt(token)
|
||||||
elif api_key is not None:
|
elif api_key is not None and self.user_info is None:
|
||||||
self.user_info = auth.validate_api_key(api_key)
|
self.user_info = auth.validate_api_key(api_key)
|
||||||
elif not auth.is_path_permitted(path):
|
else:
|
||||||
|
self.check_authenticated()
|
||||||
|
|
||||||
|
def check_authenticated(self, path: str = "") -> None:
|
||||||
|
if not self._need_auth:
|
||||||
|
return
|
||||||
|
auth: AuthComp = self.server.lookup_component("authorization", None)
|
||||||
|
if auth is None:
|
||||||
|
return
|
||||||
|
if not auth.is_path_permitted(path):
|
||||||
raise self.server.error("Unauthorized", 401)
|
raise self.server.error("Unauthorized", 401)
|
||||||
|
|
||||||
def on_user_logout(self, user: str) -> bool:
|
def on_user_logout(self, user: str) -> bool:
|
||||||
|
|
Loading…
Reference in New Issue