2013-06-05 13:38:33 +02:00
|
|
|
var xtend = require('xtend');
|
2014-01-13 20:00:21 +01:00
|
|
|
var jwt = require('jsonwebtoken');
|
|
|
|
var UnauthorizedError = require('./UnauthorizedError');
|
2012-10-26 18:13:28 +02:00
|
|
|
|
2014-01-14 12:30:39 +01:00
|
|
|
function noQsMethod(options) {
|
2015-05-29 13:52:14 +02:00
|
|
|
var defaults = { required: true };
|
|
|
|
options = xtend(defaults, options);
|
|
|
|
|
2014-01-13 22:41:10 +01:00
|
|
|
return function (socket) {
|
2015-08-31 16:04:04 +02:00
|
|
|
var server = this.server || socket.server;
|
2014-01-14 12:30:39 +01:00
|
|
|
|
2014-06-05 20:45:41 +02:00
|
|
|
if (!server.$emit) {
|
|
|
|
//then is socket.io 1.0
|
2015-08-31 16:04:04 +02:00
|
|
|
var Namespace = Object.getPrototypeOf(server.sockets).constructor;
|
2014-06-05 20:45:41 +02:00
|
|
|
if (!~Namespace.events.indexOf('authenticated')) {
|
|
|
|
Namespace.events.push('authenticated');
|
|
|
|
}
|
|
|
|
}
|
2015-05-29 13:52:14 +02:00
|
|
|
|
|
|
|
if(options.required){
|
|
|
|
var auth_timeout = setTimeout(function () {
|
|
|
|
socket.disconnect('unauthorized');
|
|
|
|
}, options.timeout || 5000);
|
|
|
|
}
|
|
|
|
|
2014-01-13 22:41:10 +01:00
|
|
|
socket.on('authenticate', function (data) {
|
2015-05-29 13:52:14 +02:00
|
|
|
if(options.required){
|
|
|
|
clearTimeout(auth_timeout);
|
|
|
|
}
|
2015-11-01 20:44:25 +01:00
|
|
|
// error handler
|
|
|
|
var onError = function(err, code) {
|
2015-05-07 11:49:00 +02:00
|
|
|
if (err) {
|
|
|
|
code = code || 'unknown';
|
|
|
|
var error = new UnauthorizedError(code, {
|
|
|
|
message: (Object.prototype.toString.call(err) === '[object Object]' && err.message) ? err.message : err
|
|
|
|
});
|
2015-12-26 04:48:58 +01:00
|
|
|
var callback_timeout;
|
2018-09-27 10:53:48 +02:00
|
|
|
// If callback explicitely set to false, start timeout to disconnect socket
|
2015-12-26 04:48:58 +01:00
|
|
|
if (options.callback === false || typeof options.callback === "number") {
|
|
|
|
if (typeof options.callback === "number") {
|
|
|
|
if (options.callback < 0) {
|
|
|
|
// If callback is negative(invalid value), make it positive
|
|
|
|
options.callback = Math.abs(options.callback);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
callback_timeout = setTimeout(function () {
|
|
|
|
socket.disconnect('unauthorized');
|
|
|
|
}, (options.callback === false ? 0 : options.callback));
|
|
|
|
}
|
2015-05-07 11:49:00 +02:00
|
|
|
socket.emit('unauthorized', error, function() {
|
2015-12-26 04:48:58 +01:00
|
|
|
if (typeof options.callback === "number") {
|
|
|
|
clearTimeout(callback_timeout);
|
|
|
|
}
|
2015-05-07 11:49:00 +02:00
|
|
|
socket.disconnect('unauthorized');
|
|
|
|
});
|
|
|
|
return; // stop logic, socket will be close on next tick
|
|
|
|
}
|
2015-11-01 20:44:25 +01:00
|
|
|
};
|
2015-11-18 21:36:24 +01:00
|
|
|
|
2018-09-27 10:53:48 +02:00
|
|
|
var token = options.cookie ? socket.request.cookies[options.cookie] : (data ? data.token : undefined);
|
|
|
|
|
|
|
|
if(!token || typeof token !== "string") {
|
2015-11-01 20:44:25 +01:00
|
|
|
return onError({message: 'invalid token datatype'}, 'invalid_token');
|
|
|
|
}
|
2015-11-18 21:36:24 +01:00
|
|
|
|
2017-04-18 23:31:38 +02:00
|
|
|
// Store encoded JWT
|
2017-04-19 00:01:18 +02:00
|
|
|
socket[options.encodedPropertyName] = data.token;
|
2017-04-18 23:31:38 +02:00
|
|
|
|
2015-11-18 21:36:24 +01:00
|
|
|
var onJwtVerificationReady = function(err, decoded) {
|
2015-05-29 13:52:14 +02:00
|
|
|
|
2014-10-24 18:01:53 +02:00
|
|
|
if (err) {
|
2015-05-07 11:49:00 +02:00
|
|
|
return onError(err, 'invalid_token');
|
2014-01-13 22:41:10 +01:00
|
|
|
}
|
2015-05-29 13:52:14 +02:00
|
|
|
|
2015-05-07 11:49:00 +02:00
|
|
|
// success handler
|
2015-11-18 21:36:24 +01:00
|
|
|
var onSuccess = function() {
|
2016-06-15 08:25:40 +02:00
|
|
|
socket[options.decodedPropertyName] = decoded;
|
2015-05-07 11:49:00 +02:00
|
|
|
socket.emit('authenticated');
|
|
|
|
if (server.$emit) {
|
|
|
|
server.$emit('authenticated', socket);
|
|
|
|
} else {
|
2015-08-31 16:04:04 +02:00
|
|
|
//try getting the current namespace otherwise fallback to all sockets.
|
|
|
|
var namespace = (server.nsps && socket.nsp &&
|
|
|
|
server.nsps[socket.nsp.name]) ||
|
|
|
|
server.sockets;
|
|
|
|
|
2015-07-19 04:20:19 +02:00
|
|
|
// explicit namespace
|
2015-08-31 16:04:04 +02:00
|
|
|
namespace.emit('authenticated', socket);
|
2015-05-07 11:49:00 +02:00
|
|
|
}
|
2014-10-24 18:01:53 +02:00
|
|
|
};
|
2015-05-29 13:52:14 +02:00
|
|
|
|
2015-05-29 14:00:34 +02:00
|
|
|
if(options.additional_auth && typeof options.additional_auth === 'function') {
|
2015-07-05 18:57:24 +02:00
|
|
|
options.additional_auth(decoded, onSuccess, onError);
|
2014-06-05 20:45:41 +02:00
|
|
|
} else {
|
2014-10-24 18:01:53 +02:00
|
|
|
onSuccess();
|
2014-06-05 20:45:41 +02:00
|
|
|
}
|
2015-11-18 21:36:24 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
var onSecretReady = function(err, secret) {
|
|
|
|
if (err || !secret) {
|
|
|
|
return onError(err, 'invalid_secret');
|
|
|
|
}
|
2014-01-13 22:41:10 +01:00
|
|
|
|
2018-09-27 10:53:48 +02:00
|
|
|
jwt.verify(token, secret, options, onJwtVerificationReady);
|
2015-11-18 21:36:24 +01:00
|
|
|
};
|
|
|
|
|
2018-09-27 10:53:48 +02:00
|
|
|
getSecret(socket.request, options.secret, token, onSecretReady);
|
2015-11-18 21:36:24 +01:00
|
|
|
});
|
2014-01-13 22:41:10 +01:00
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
function authorize(options, onConnection) {
|
2017-04-18 23:31:38 +02:00
|
|
|
options = xtend({ decodedPropertyName: 'decoded_token', encodedPropertyName: 'encoded_token' }, options);
|
2016-06-15 08:25:40 +02:00
|
|
|
|
2015-05-29 13:52:14 +02:00
|
|
|
if (!options.handshake) {
|
|
|
|
return noQsMethod(options);
|
|
|
|
}
|
|
|
|
|
2013-02-05 23:15:04 +01:00
|
|
|
var defaults = {
|
2017-04-18 23:26:47 +02:00
|
|
|
success: function(socket, accept){
|
|
|
|
if (socket.request) {
|
2014-06-03 13:12:07 +02:00
|
|
|
accept();
|
|
|
|
} else {
|
|
|
|
accept(null, true);
|
|
|
|
}
|
2014-01-13 20:00:21 +01:00
|
|
|
},
|
2017-04-18 23:26:47 +02:00
|
|
|
fail: function(error, socket, accept){
|
|
|
|
if (socket.request) {
|
2014-06-05 20:45:41 +02:00
|
|
|
accept(error);
|
2014-06-03 13:12:07 +02:00
|
|
|
} else {
|
|
|
|
accept(null, false);
|
|
|
|
}
|
2014-01-13 20:00:21 +01:00
|
|
|
}
|
2012-10-26 18:13:28 +02:00
|
|
|
};
|
2012-09-05 20:14:36 +02:00
|
|
|
|
2013-11-15 10:47:51 +01:00
|
|
|
var auth = xtend(defaults, options);
|
2013-06-30 21:06:21 +02:00
|
|
|
|
2017-04-18 23:26:47 +02:00
|
|
|
return function(socket, accept){
|
2014-01-13 20:00:21 +01:00
|
|
|
var token, error;
|
2016-11-22 14:27:04 +01:00
|
|
|
var handshake = data.handshake;
|
2017-04-18 23:26:47 +02:00
|
|
|
var req = socket.request || socket;
|
2014-06-05 20:45:41 +02:00
|
|
|
var authorization_header = (req.headers || {}).authorization;
|
2014-06-03 13:12:07 +02:00
|
|
|
|
|
|
|
if (authorization_header) {
|
|
|
|
var parts = authorization_header.split(' ');
|
2014-01-13 20:00:21 +01:00
|
|
|
if (parts.length == 2) {
|
|
|
|
var scheme = parts[0],
|
|
|
|
credentials = parts[1];
|
2012-09-05 20:14:36 +02:00
|
|
|
|
2015-05-18 03:05:00 +02:00
|
|
|
if (scheme.toLowerCase() === 'bearer') {
|
2014-01-13 20:00:21 +01:00
|
|
|
token = credentials;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
error = new UnauthorizedError('credentials_bad_format', {
|
|
|
|
message: 'Format is Authorization: Bearer [token]'
|
|
|
|
});
|
2017-04-18 23:26:47 +02:00
|
|
|
return auth.fail(error, socket, accept);
|
2014-01-13 20:00:21 +01:00
|
|
|
}
|
|
|
|
}
|
2013-11-06 18:19:00 +01:00
|
|
|
|
2016-10-20 18:13:23 +02:00
|
|
|
// Check if the header has to include authentication
|
|
|
|
if (options.auth_header_required && !token) {
|
|
|
|
return auth.fail(new UnauthorizedError('missing_authorization_header', {
|
|
|
|
message: 'Server requires Authorization Header'
|
|
|
|
}), data, accept);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the token from handshake or query string
|
2016-11-22 14:27:04 +01:00
|
|
|
if (handshake && handshake.query.token){
|
|
|
|
token = handshake.query.token;
|
|
|
|
}
|
|
|
|
else if (req._query && req._query.token) {
|
2014-06-06 20:09:06 +02:00
|
|
|
token = req._query.token;
|
|
|
|
}
|
|
|
|
else if (req.query && req.query.token) {
|
2014-06-06 19:28:11 +02:00
|
|
|
token = req.query.token;
|
2014-06-05 20:45:41 +02:00
|
|
|
}
|
2012-09-05 20:14:36 +02:00
|
|
|
|
2014-01-13 20:00:21 +01:00
|
|
|
if (!token) {
|
|
|
|
error = new UnauthorizedError('credentials_required', {
|
|
|
|
message: 'No Authorization header was found'
|
2012-09-05 20:14:36 +02:00
|
|
|
});
|
2017-04-18 23:26:47 +02:00
|
|
|
return auth.fail(error, socket, accept);
|
2014-01-13 20:00:21 +01:00
|
|
|
}
|
|
|
|
|
2017-04-18 23:31:38 +02:00
|
|
|
// Store encoded JWT
|
2019-07-24 15:55:12 +02:00
|
|
|
socket[options.encodedPropertyName] = token;
|
2017-04-18 23:31:38 +02:00
|
|
|
|
2015-11-18 21:36:24 +01:00
|
|
|
var onJwtVerificationReady = function(err, decoded) {
|
2014-01-13 20:00:21 +01:00
|
|
|
|
|
|
|
if (err) {
|
2015-11-18 21:36:24 +01:00
|
|
|
error = new UnauthorizedError(err.code || 'invalid_token', err);
|
2017-04-18 23:26:47 +02:00
|
|
|
return auth.fail(error, socket, accept);
|
2014-01-13 20:00:21 +01:00
|
|
|
}
|
|
|
|
|
2017-04-18 23:26:47 +02:00
|
|
|
socket[options.decodedPropertyName] = decoded;
|
2012-09-05 20:14:36 +02:00
|
|
|
|
2017-04-18 23:26:47 +02:00
|
|
|
return auth.success(socket, accept);
|
2015-11-18 21:36:24 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
var onSecretReady = function(err, secret) {
|
|
|
|
if (err) {
|
|
|
|
error = new UnauthorizedError(err.code || 'invalid_secret', err);
|
2017-04-18 23:26:47 +02:00
|
|
|
return auth.fail(error, socket, accept);
|
2015-11-18 21:36:24 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
jwt.verify(token, secret, options, onJwtVerificationReady);
|
|
|
|
};
|
|
|
|
|
|
|
|
getSecret(req, options.secret, token, onSecretReady);
|
2012-09-05 20:14:36 +02:00
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2015-11-18 21:36:24 +01:00
|
|
|
function getSecret(request, secret, token, callback) {
|
|
|
|
if (typeof secret === 'function') {
|
|
|
|
if (!token) {
|
|
|
|
return callback({ code: 'invalid_token', message: 'jwt must be provided' });
|
|
|
|
}
|
|
|
|
|
|
|
|
var parts = token.split('.');
|
|
|
|
|
|
|
|
if (parts.length < 3) {
|
|
|
|
return callback({ code: 'invalid_token', message: 'jwt malformed' });
|
|
|
|
}
|
|
|
|
|
|
|
|
if (parts[2].trim() === '') {
|
|
|
|
return callback({ code: 'invalid_token', message: 'jwt signature is required' });
|
|
|
|
}
|
|
|
|
|
|
|
|
var decodedToken = jwt.decode(token);
|
|
|
|
|
|
|
|
if (!decodedToken) {
|
|
|
|
return callback({ code: 'invalid_token', message: 'jwt malformed' });
|
|
|
|
}
|
|
|
|
|
|
|
|
secret(request, decodedToken, callback);
|
|
|
|
} else {
|
|
|
|
callback(null, secret);
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
2012-09-05 20:14:36 +02:00
|
|
|
exports.authorize = authorize;
|
2017-04-18 23:21:07 +02:00
|
|
|
exports.UnauthorizedError = UnauthorizedError;
|