From 5d223c776ced19314fe4a1b4db868d143af2d4a6 Mon Sep 17 00:00:00 2001 From: STEINNI Date: Sun, 21 Sep 2025 20:09:42 +0000 Subject: [PATCH] roles into wsscnx from sess --- actions/pubSub.js | 2 +- actions/store.js | 1 + wssConnexion.js | 44 ++++++++++--------------------------------- wssGatewayConfig.json | 22 +++++++--------------- wssServer.js | 8 +++++++- 5 files changed, 26 insertions(+), 51 deletions(-) diff --git a/actions/pubSub.js b/actions/pubSub.js index d5e0243..c4b8185 100644 --- a/actions/pubSub.js +++ b/actions/pubSub.js @@ -146,7 +146,7 @@ export const methods = { if( (!this.accessRights.canPublish(this.userId, this.roles, payload.chan)) && (! this.rediscnx.redPillsUuids.includes(this.uuid)) ) { this.sendErr(action, 'Unauthorized chan !', reqid); - if(this.debug) console.log('PUB: Unauthorized chan', payload.chan) + if(this.debug) console.log('PUB: Unauthorized chan', payload.chan, this.userId, this.roles) return } diff --git a/actions/store.js b/actions/store.js index 4e98c15..f606565 100644 --- a/actions/store.js +++ b/actions/store.js @@ -86,6 +86,7 @@ export const methods = { }; if(!this.accessRights.canGet(this.userId, this.roles, payload.key)) { + console.log('Unauth GET key:',this.userId, this.roles, payload.key) this.sendErr(action, 'Unauthorized key !', reqid); return } diff --git a/wssConnexion.js b/wssConnexion.js index 5feecbb..86ba74e 100644 --- a/wssConnexion.js +++ b/wssConnexion.js @@ -5,17 +5,16 @@ export class WssConnexion { constructor(options){ Object.assign(this, gatewayActions) - - this.config = options.config; - this.socket = options.socket; - this.req = options.req; - this.uuid = options.uuid; - this.wssSrv = options.wssSrv; - this.debug = options.debug; - this.rediscnx = options.rediscnx; - this.roles = [] - this.accessRights = options.accessRights; - this.userId = ''; + this.config = options.config + this.socket = options.socket + this.req = options.req + this.uuid = options.uuid + this.wssSrv = options.wssSrv + this.debug = options.debug + this.rediscnx = options.rediscnx + this.accessRights = options.accessRights + this.userId = options.userId + this.roles = options.roles this.sessionID = null // null until login this.subscriptions = []; @@ -36,29 +35,6 @@ export class WssConnexion { if(this.debug) console.log(`Welcome to UUID ${this.uuid}`) } - async checkLogin(userInfo, otp){ - if(!this.config.server.devotpToken){ - let rawPayload = await this.rediscnx.redisGet(userInfo, this.config.redis.authTokenPrefix) - let payload = JSON.parse(rawPayload) - if(this.debug) console.log(`Got a token from Redis for ${userInfo} => ${JSON.stringify(payload)}`) - if((!payload) || (!payload.token) || (!payload.roles)) return(false) // Redis/sessions issues : don't crash the daemon ! - this.token = payload.token - this.roles = payload.roles - this.sessionID = payload.sessionID || '!!no sessionID in the token key in Redis!!' - } else { - this.token = this.config.server.devotpToken - this.roles = ['EIC_Dev'] - this.sessionID = this.config.server.devotpToken - } - - let data = new TextEncoder().encode(this.token+this.challenge) - let bytesBuf = await crypto.subtle.digest("SHA-512", data) - let arrayBuf = Array.from(new Uint8Array(bytesBuf)) - let goodOTP = arrayBuf.map((b) => b.toString(16).padStart(2, "0")).join("") - if(this.debug) console.log(`Checking challenge-response (token=${this.token}): ${otp} ?? ${goodOTP}`) - return(otp == goodOTP) - } - startKeepAlive() { if(this.config.server.keepAliveInterval>0) { if(this.config.server.keepAliveInterval >= (1.5*this.config.server.keepAliveTimeout)) { diff --git a/wssGatewayConfig.json b/wssGatewayConfig.json index 4fd7f41..58575ea 100644 --- a/wssGatewayConfig.json +++ b/wssGatewayConfig.json @@ -20,27 +20,19 @@ { "roles": "*", "mustSubscribe": [ "system:notifs:[UID]", "onlineUsers", "system:notifs" ], - "canSubscribe": ["chat:*_*","userchans:notifs"], - "canPublish": [ "chat:*_*", "userchans:notifs" ], - "canSet": [ "[UID]:userPrefs", "chat:friends", "collaborative:chalkboardUsers" ], - "canGet": [ "[UID]:userPrefs", "chat:friends", "collaborative:chalkboardUsers" ] + "canSubscribe": ["gps:*","agents:*"], + "canPublish": [ ], + "canSet": [ "[UID]:userPrefs" ], + "canGet": [ "[UID]:userPrefs"] }, { - "roles": ["EIC_Admin","EIC_Dev"], + "roles": ["admin"], "mustSubscribe": ["system:adminNotifs"], - "canSubscribe": ["collaborative:*"], - "canPublish": ["system:notifs:*", "system:notifs", "infraNotifs:httpGateway", "infraNotifs:test", "collaborative:*"], + "canSubscribe": [ "infraNotifs:*", "gps:*","agents:*"], + "canPublish": ["gps:*", "agents:*", "system:notifs:*", "system:notifs", "infraNotifs:*"], "canSet": ["*:userPrefs"], "canGet": ["*:userPrefs"], "canDo": ["getActiveUsers", "killSessions","reloadAccessRights", "getAccessRights", "getPlatformState", "setPlatformState", "redPill"] - }, - { - "roles": ["EIC_Dev"], - "uuids":["steinic"], - "canPublish": [], - "canSubscribe": [], - "mustSubscribe": [], - "canDo": ["REDPILL", "BLUEPILL"] } ], "redis":{ diff --git a/wssServer.js b/wssServer.js index d3aff56..a3a166d 100644 --- a/wssServer.js +++ b/wssServer.js @@ -30,7 +30,7 @@ export class wssServer { newWSSConnexion(socket, req) { var uuid = crypto.randomUUID(); - if(socket.session && socket.session.authenticated && socket.session.userInfos && socket.session.userInfos.username){ + if(socket.session && socket.session.authenticated && socket.session.userInfos && socket.session.userInfos.identity && socket.session.userInfos.identity.username){ var wssCnx = new WssConnexion({ socket: socket, req, req, @@ -40,8 +40,14 @@ export class wssServer { config: this.wssGatewayConfig, rediscnx: this.REDIScnx, accessRights: this.accessRights, + userId: socket.session.userInfos.identity.uuid, + roles: socket.session.userInfos.roles, }); this.AllWssConnections[uuid] = wssCnx; + if(!(wssCnx.userId in this.Users2uuids)) this.Users2uuids[wssCnx.userId] = new Set(); + this.Users2uuids[wssCnx.userId].add(uuid); + this.OnlineUsers.add(wssCnx.userId); + this.REDIScnx.wssConnections[uuid] = wssCnx; this.postLoginActions(wssCnx) } else socket.close()