fix(realtime): Allow connections for guest users

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
This commit is contained in:
Tilman Vatteroth 2022-10-03 18:39:44 +02:00
parent 4ab66dfe2d
commit a97f7e8fd1
8 changed files with 139 additions and 59 deletions

View file

@ -52,7 +52,7 @@ export class RealtimeNote extends (EventEmitter as TypedEventEmitterConstructor<
*/
public addClient(client: WebsocketConnection): void {
this.clients.add(client);
this.logger.debug(`User '${client.getUser().username}' connected`);
this.logger.debug(`User '${client.getUsername()}' connected`);
}
/**
@ -63,7 +63,7 @@ export class RealtimeNote extends (EventEmitter as TypedEventEmitterConstructor<
public removeClient(client: WebsocketConnection): void {
this.clients.delete(client);
this.logger.debug(
`User '${client.getUser().username}' disconnected. ${
`User '${client.getUsername()}' disconnected. ${
this.clients.size
} clients left.`,
);

View file

@ -18,5 +18,6 @@ export function mockConnection(synced: boolean): WebsocketConnection {
isSynced: jest.fn(() => synced),
send: jest.fn(),
getUser: jest.fn(() => Mock.of<User>({ username: 'mockedUser' })),
getUsername: jest.fn(() => 'mocked user'),
});
}

View file

@ -192,4 +192,26 @@ describe('websocket connection', () => {
expect(sut.getUser()).toBe(mockedUser);
});
it('returns the correct username', () => {
const mockedUserWithUsername = Mock.of<User>({ username: 'MockUser' });
const sut = new WebsocketConnection(
mockedWebsocket,
mockedUserWithUsername,
mockedRealtimeNote,
);
expect(sut.getUsername()).toBe('MockUser');
});
it('returns a fallback if no username has been set', () => {
const sut = new WebsocketConnection(
mockedWebsocket,
mockedUser,
mockedRealtimeNote,
);
expect(sut.getUsername()).toBe('Guest');
});
});

View file

@ -30,7 +30,7 @@ export class WebsocketConnection {
*/
constructor(
websocket: WebSocket,
private user: User,
private user: User | null,
realtimeNote: RealtimeNote,
) {
const awareness = realtimeNote.getAwareness();
@ -94,7 +94,11 @@ export class WebsocketConnection {
return this.controlledAwarenessIds;
}
public getUser(): User {
public getUser(): User | null {
return this.user;
}
public getUsername(): string {
return this.getUser()?.username ?? 'Guest';
}
}

View file

@ -3,6 +3,7 @@
*
* SPDX-License-Identifier: AGPL-3.0-only
*/
import { Optional } from '@mrdrogdrog/optional';
import { ConfigModule } from '@nestjs/config';
import { EventEmitterModule } from '@nestjs/event-emitter';
import { Test, TestingModule } from '@nestjs/testing';
@ -64,7 +65,9 @@ describe('Websocket gateway', () => {
const mockedValidSessionCookie = 'mockedValidSessionCookie';
const mockedSessionIdWithUser = 'mockedSessionIdWithUser';
const mockedValidUrl = 'mockedValidUrl';
const mockedValidGuestUrl = 'mockedValidGuestUrl';
const mockedValidNoteId = 'mockedValidNoteId';
const mockedValidGuestNoteId = 'mockedValidGuestNoteId';
let sessionExistsForUser = true;
let noteExistsForNoteId = true;
@ -151,14 +154,15 @@ describe('Websocket gateway', () => {
permissionsService = module.get<PermissionsService>(PermissionsService);
jest
.spyOn(sessionService, 'extractVerifiedSessionIdFromRequest')
.mockImplementation((request: IncomingMessage): string => {
if (request.headers.cookie === mockedValidSessionCookie) {
return mockedSessionIdWithUser;
} else {
throw new Error('no valid session cookie found');
}
});
.spyOn(sessionService, 'extractSessionIdFromRequest')
.mockImplementation(
(request: IncomingMessage): Optional<string> =>
Optional.ofNullable(
request.headers?.cookie === mockedValidSessionCookie
? mockedSessionIdWithUser
: null,
),
);
const mockUsername = 'mockUsername';
jest
@ -184,26 +188,37 @@ describe('Websocket gateway', () => {
.mockImplementation((request: IncomingMessage): string => {
if (request.url === mockedValidUrl) {
return mockedValidNoteId;
} else if (request.url === mockedValidGuestUrl) {
return mockedValidGuestNoteId;
} else {
throw new Error('no valid note id found');
}
});
const mockedNote = Mock.of<Note>({ id: 4711 });
const mockedGuestNote = Mock.of<Note>({ id: 1235 });
jest
.spyOn(notesService, 'getNoteByIdOrAlias')
.mockImplementation((noteId: string) =>
noteExistsForNoteId && noteId === mockedValidNoteId
? Promise.resolve(mockedNote)
: Promise.reject('no note found'),
);
.mockImplementation((noteId: string) => {
if (noteExistsForNoteId && noteId === mockedValidNoteId) {
return Promise.resolve(mockedNote);
}
if (noteId === mockedValidGuestNoteId) {
return Promise.resolve(mockedGuestNote);
} else {
return Promise.reject('no note found');
}
});
jest
.spyOn(permissionsService, 'mayRead')
.mockImplementation(
(user: User | null, note: Note): Promise<boolean> =>
Promise.resolve(
user === mockUser && note === mockedNote && userHasReadPermissions,
(user === mockUser &&
note === mockedNote &&
userHasReadPermissions) ||
(user === null && note === mockedGuestNote),
),
);
@ -231,6 +246,22 @@ describe('Websocket gateway', () => {
addClientSpy = jest.spyOn(mockedRealtimeNote, 'addClient');
});
it('adds a valid connection request without a session', async () => {
const request = Mock.of<IncomingMessage>({
socket: {
remoteAddress: 'mockHost',
},
url: mockedValidGuestUrl,
headers: {},
});
await expect(
gateway.handleConnection(mockedWebsocket, request),
).resolves.not.toThrow();
expect(addClientSpy).toHaveBeenCalledWith(mockedWebsocketConnection);
expect(mockedWebsocketCloseSpy).not.toHaveBeenCalled();
});
it('adds a valid connection request', async () => {
const request = Mock.of<IncomingMessage>({
socket: {

View file

@ -52,10 +52,12 @@ export class WebsocketGateway implements OnGatewayConnection {
extractNoteIdFromRequestUrl(request),
);
const username = user?.username ?? 'guest';
if (!(await this.permissionsService.mayRead(user, note))) {
//TODO: [mrdrogdrog] inform client about reason of disconnect.
this.logger.log(
`Access denied to note '${note.id}' for user '${user.username}'`,
`Access denied to note '${note.id}' for user '${username}'`,
'handleConnection',
);
clientSocket.close();
@ -65,7 +67,7 @@ export class WebsocketGateway implements OnGatewayConnection {
this.logger.debug(
`New realtime connection to note '${note.id}' (${
note.publicId
}) by user '${user.username}' from ${
}) by user '${username}' from ${
request.socket.remoteAddress ?? 'unknown'
}`,
);
@ -98,11 +100,15 @@ export class WebsocketGateway implements OnGatewayConnection {
*/
private async findUserByRequestSession(
request: IncomingMessage,
): Promise<User> {
const sessionId =
this.sessionService.extractVerifiedSessionIdFromRequest(request);
): Promise<User | null> {
const sessionId = this.sessionService.extractSessionIdFromRequest(request);
if (sessionId.isEmpty()) {
return null;
}
const username = await this.sessionService.fetchUsernameForSessionId(
sessionId,
sessionId.get(),
);
return await this.userService.getUserByUsername(username);
}

View file

@ -129,9 +129,9 @@ describe('SessionService', () => {
const mockedRequest = Mock.of<IncomingMessage>({
headers: {},
});
expect(() =>
sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
).toThrow('No hedgedoc-session cookie found');
expect(
sessionService.extractSessionIdFromRequest(mockedRequest).isEmpty(),
).toBeTruthy();
});
it("fails if the cookie header isn't valid", () => {
@ -139,9 +139,9 @@ describe('SessionService', () => {
headers: { cookie: 'no' },
});
mockParseCookieModule(`s:anyValidSessionId.validSignature`);
expect(() =>
sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
).toThrow('No hedgedoc-session cookie found');
expect(
sessionService.extractSessionIdFromRequest(mockedRequest).isEmpty(),
).toBeTruthy();
});
it("fails if the hedgedoc session cookie isn't marked as signed", () => {
@ -150,8 +150,10 @@ describe('SessionService', () => {
});
mockParseCookieModule('sessionId.validSignature');
expect(() =>
sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
).toThrow("cookie doesn't look like a signed cookie");
sessionService.extractSessionIdFromRequest(mockedRequest),
).toThrow(
'cookie "hedgedoc-session" doesn\'t look like a signed session cookie',
);
});
it("fails if the hedgedoc session cookie doesn't contain a session id", () => {
@ -160,8 +162,10 @@ describe('SessionService', () => {
});
mockParseCookieModule('s:.validSignature');
expect(() =>
sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
).toThrow("cookie doesn't look like a signed cookie");
sessionService.extractSessionIdFromRequest(mockedRequest),
).toThrow(
'cookie "hedgedoc-session" doesn\'t look like a signed session cookie',
);
});
it("fails if the hedgedoc session cookie doesn't contain a signature", () => {
@ -170,8 +174,10 @@ describe('SessionService', () => {
});
mockParseCookieModule('s:sessionId.');
expect(() =>
sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
).toThrow("cookie doesn't look like a signed cookie");
sessionService.extractSessionIdFromRequest(mockedRequest),
).toThrow(
'cookie "hedgedoc-session" doesn\'t look like a signed session cookie',
);
});
it("fails if the hedgedoc session cookie isn't signed correctly", () => {
@ -180,8 +186,8 @@ describe('SessionService', () => {
});
mockParseCookieModule('s:sessionId.invalidSignature');
expect(() =>
sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
).toThrow("Signature of hedgedoc-session cookie isn't valid.");
sessionService.extractSessionIdFromRequest(mockedRequest),
).toThrow('signature of cookie "hedgedoc-session" isn\'t valid.');
});
it('can extract a session id from a valid request', () => {
@ -190,7 +196,7 @@ describe('SessionService', () => {
});
mockParseCookieModule(`s:${validSessionId}.validSignature`);
expect(
sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
sessionService.extractSessionIdFromRequest(mockedRequest).get(),
).toBe(validSessionId);
});
});

View file

@ -70,27 +70,37 @@ export class SessionService {
* Extracts the hedgedoc session cookie from the given {@link IncomingMessage request} and checks if the signature is correct.
*
* @param request The http request that contains a session cookie
* @return The extracted session id
* @throws Error if no session cookie was found
* @throws Error if the cookie content is malformed
* @throws Error if the cookie content isn't signed
* @return An {@link Optional optional} that either contains the extracted session id or is empty if no session cookie has been found
* @throws Error if the cookie has been found but the content is malformed
* @throws Error if the cookie has been found but the content isn't signed
*/
extractVerifiedSessionIdFromRequest(request: IncomingMessage): string {
return Optional.ofNullable(request.headers.cookie)
extractSessionIdFromRequest(request: IncomingMessage): Optional<string> {
return Optional.ofNullable(request.headers?.cookie)
.map((cookieHeader) => parseCookie(cookieHeader)[HEDGEDOC_SESSION])
.orThrow(() => new Error(`No ${HEDGEDOC_SESSION} cookie found`))
.map((cookie) => SessionService.sessionCookieContentRegex.exec(cookie))
.orThrow(
() =>
new Error(
`${HEDGEDOC_SESSION} cookie doesn't look like a signed cookie`,
),
)
.guard(
(cookie) => unsign(cookie[1], this.authConfig.session.secret) !== false,
() => new Error(`Signature of ${HEDGEDOC_SESSION} cookie isn't valid.`),
)
.map((cookie) => cookie[2])
.get();
.map((rawCookie) =>
this.extractVerifiedSessionIdFromCookieContent(rawCookie),
);
}
/**
* Parses the given session cookie content and extracts the session id.
*
* @param rawCookie The cookie to parse
* @return The extracted session id
* @throws Error if the cookie has been found but the content is malformed
* @throws Error if the cookie has been found but the content isn't signed
*/
private extractVerifiedSessionIdFromCookieContent(rawCookie: string): string {
const parsedCookie =
SessionService.sessionCookieContentRegex.exec(rawCookie);
if (parsedCookie === null) {
throw new Error(
`cookie "${HEDGEDOC_SESSION}" doesn't look like a signed session cookie`,
);
}
if (unsign(parsedCookie[1], this.authConfig.session.secret) === false) {
throw new Error(`signature of cookie "${HEDGEDOC_SESSION}" isn't valid.`);
}
return parsedCookie[2];
}
}