Authenticate websocket comms using user-provided token if present

Fixes #2642
2025-03-01 10:36:34 +00:00 · 2020-07-06 20:45:07 +01:00
parent 0243a902b2
commit 57154b2853
2 changed files with 45 additions and 2 deletions
--- a/packages/node_modules/@node-red/editor-api/lib/editor/comms.js
+++ b/packages/node_modules/@node-red/editor-api/lib/editor/comms.js
@@ -129,11 +129,19 @@ function CommsConnection(ws) {
                                completeConnection(null,null,false);
                            }
                        });
+                    } else {
+                        Users.tokens(msg.auth).then(function(user) {
+                            if (user) {
+                                self.user = user;
+                                log.audit({event: "comms.auth",user:self.user});
+                                completeConnection(user.permissions,msg.auth,true);
                            } else {
                                log.audit({event: "comms.auth.fail"});
                                completeConnection(null,null,false);
                            }
                        });
+                    }
+                });
            } else {
                if (anonymousUser) {
                    log.audit({event: "comms.auth",user:anonymousUser});
--- a/test/unit/@node-red/editor-api/lib/editor/comms_spec.js
+++ b/test/unit/@node-red/editor-api/lib/editor/comms_spec.js
@@ -343,6 +343,7 @@ describe("api/editor/comms", function() {
        var getDefaultUser;
        var getUser;
        var getToken;
+        var getUserToken;
        before(function(done) {
            getDefaultUser = sinon.stub(Users,"default",function() { return when.resolve(null);});
            getUser = sinon.stub(Users,"get", function(username) {
@@ -352,6 +353,13 @@ describe("api/editor/comms", function() {
                    return when.resolve(null);
                }
            });
+            getUserToken = sinon.stub(Users,"tokens", function(token) {
+                if (token == "abcde") {
+                    return when.resolve({user:"wilma", permissions:"*"})
+                } else {
+                    return when.resolve(null);
+                }
+            });
            getToken = sinon.stub(Tokens,"get",function(token) {
                if (token == "1234") {
                    return when.resolve({user:"fred",scope:["*"]});
@@ -377,6 +385,7 @@ describe("api/editor/comms", function() {
            getDefaultUser.restore();
            getUser.restore();
            getToken.restore();
+            getUserToken.restore();
            comms.stop();
            server.stop(done);
        });
@@ -420,7 +429,33 @@ describe("api/editor/comms", function() {
                }
            });
        });
+        it('allows connections that do authenticate - user-provided-token',function(done) {
+            var ws = new WebSocket(url);
+            var received = 0;
+            ws.on('open', function() {
+                ws.send('{"auth":"abcde"}');
+            });
+            ws.on('message', function(msg) {
+                received++;
+                if (received == 1) {
+                    msg.should.equal('{"auth":"ok"}');
+                    ws.send('{"subscribe":"foo"}');
+                    connections[0].send('foo', 'correct');
+                } else {
+                    msg.should.equal('[{"topic":"foo","data":"correct"}]');
+                    ws.close();
+                }
+            });

+            ws.on('close', function() {
+                try {
+                    received.should.equal(2);
+                    done();
+                } catch(err) {
+                    done(err);
+                }
+            });
+        });
        it('rejects connections for non-existant token',function(done) {
            var ws = new WebSocket(url);
            var received = 0;