Merge pull request #2216 from RedisInsight/be/feature/RI-4454_websocket_security

#RI-4567 - add security for socket

Author: egor-zalenski

redisinsight/api/src/main.ts

@@ -8,6 +8,7 @@ import { GlobalExceptionFilter } from 'src/exceptions/global-exception.filter';
 import { get } from 'src/utils';
 import { migrateHomeFolder } from 'src/init-helper';
 import { LogFileProvider } from 'src/modules/profiler/providers/log-file.provider';
+import { WindowsAuthAdapter } from 'src/modules/auth/window-auth/adapters/window-auth.adapter';
 import { AppModule } from './app.module';
 import SWAGGER_CONFIG from '../config/swagger';
 import LOGGER_CONFIG from '../config/logger';
@@ -49,6 +50,8 @@ export default async function bootstrap(): Promise<IApp> {
       app,
       SwaggerModule.createDocument(app, SWAGGER_CONFIG),
     );
+  } else {
+    app.useWebSocketAdapter(new WindowsAuthAdapter(app));
   }
 
   const logFileProvider = app.get(LogFileProvider);

redisinsight/api/src/modules/auth/window-auth/adapters/window-auth.adapter.ts

@@ -0,0 +1,35 @@
+import { INestApplication, Logger } from '@nestjs/common';
+import { IoAdapter } from '@nestjs/platform-socket.io';
+import { BaseWsInstance, MessageMappingProperties } from '@nestjs/websockets';
+import { get } from 'lodash';
+import { Observable } from 'rxjs';
+import { Socket } from 'socket.io';
+import { API_HEADER_WINDOW_ID } from 'src/common/constants';
+import ERROR_MESSAGES from 'src/constants/error-messages';
+import { WindowAuthService } from '../window-auth.service';
+
+export class WindowsAuthAdapter extends IoAdapter {
+  private windowAuthService: WindowAuthService;
+  private logger = new Logger('WindowsAuthAdapter');
+
+  constructor(private app: INestApplication) {
+    super(app);
+    this.windowAuthService = this.app.get(WindowAuthService);
+  }
+
+  async bindMessageHandlers(
+    socket: Socket,
+    handlers: MessageMappingProperties[],
+    transform: (data: any) => Observable<any>,
+  ) {
+    const windowId = (get(socket, `handshake.headers.${API_HEADER_WINDOW_ID}`) as string) || '';
+    const isAuthorized = await this.windowAuthService?.isAuthorized(windowId);
+
+    if (!isAuthorized) {
+      this.logger.error(ERROR_MESSAGES.UNDEFINED_WINDOW_ID);
+      return;
+    }
+
+    return super.bindMessageHandlers(socket, handlers, transform);
+  }
+}

redisinsight/ui/src/components/bulk-actions-config/BulkActionsConfig.tsx

@@ -19,6 +19,7 @@ import { connectedInstanceSelector } from 'uiSrc/slices/instances/instances'
 import { isProcessingBulkAction } from 'uiSrc/pages/browser/components/bulk-actions/utils'
 import { BrowserStorageItem, BulkActionsServerEvent, BulkActionsStatus, BulkActionsType, SocketEvent } from 'uiSrc/constants'
 import { addErrorNotification } from 'uiSrc/slices/app/notifications'
+import { CustomHeaders } from 'uiSrc/constants/api'
 
 interface IProps {
   retryDelay?: number
@@ -43,6 +44,7 @@ const BulkActionsConfig = ({ retryDelay = 5000 } : IProps) => {
     socketRef.current = io(`${getBaseApiUrl()}/bulk-actions`, {
       forceNew: true,
       query: { instanceId },
+      extraHeaders: { [CustomHeaders.WindowId]: window.windowId || '' },
       rejectUnauthorized: false,
     })
 

redisinsight/ui/src/components/global-subscriptions/CommonAppSubscription/CommonAppSubscription.tsx

@@ -12,6 +12,7 @@ import { connectedInstanceSelector } from 'uiSrc/slices/instances/instances'
 import { setTotalUnread } from 'uiSrc/slices/recommendations/recommendations'
 import { RecommendationsSocketEvents } from 'uiSrc/constants/recommendations'
 import { getFeatureFlagsSuccess } from 'uiSrc/slices/app/features'
+import { CustomHeaders } from 'uiSrc/constants/api'
 
 const CommonAppSubscription = () => {
   const { id: instanceId } = useSelector(connectedInstanceSelector)
@@ -28,7 +29,8 @@ const CommonAppSubscription = () => {
     socketRef.current = io(`${getBaseApiUrl()}`, {
       forceNew: false,
       rejectUnauthorized: false,
-      reconnection: true
+      reconnection: true,
+      extraHeaders: { [CustomHeaders.WindowId]: window.windowId || '' },
     })
 
     socketRef.current.on(SocketEvent.Connect, () => {

redisinsight/ui/src/components/monitor-config/MonitorConfig.tsx

@@ -20,6 +20,7 @@ import { getBaseApiUrl } from 'uiSrc/utils'
 import { MonitorErrorMessages, MonitorEvent, SocketErrors, SocketEvent } from 'uiSrc/constants'
 import { IMonitorDataPayload } from 'uiSrc/slices/interfaces'
 import { connectedInstanceSelector } from 'uiSrc/slices/instances/instances'
+import { CustomHeaders } from 'uiSrc/constants/api'
 import { IMonitorData } from 'apiSrc/modules/profiler/interfaces/monitor-data.interface'
 
 import ApiStatusCode from '../../constants/apiStatusCode'
@@ -59,6 +60,7 @@ const MonitorConfig = ({ retryDelay = 15000 } : IProps) => {
     const newSocket = io(`${getBaseApiUrl()}/monitor`, {
       forceNew: true,
       query: { instanceId },
+      extraHeaders: { [CustomHeaders.WindowId]: window.windowId || '' },
       rejectUnauthorized: false,
     })
     dispatch(setSocket(newSocket))

redisinsight/ui/src/components/pub-sub-config/PubSubConfig.tsx

@@ -3,6 +3,7 @@ import { useDispatch, useSelector } from 'react-redux'
 import { io, Socket } from 'socket.io-client'
 
 import { SocketEvent } from 'uiSrc/constants'
+import { CustomHeaders } from 'uiSrc/constants/api'
 import { PubSubEvent } from 'uiSrc/constants/pubSub'
 import { connectedInstanceSelector } from 'uiSrc/slices/instances/instances'
 import { PubSubSubscription } from 'uiSrc/slices/interfaces/pubsub'
@@ -37,6 +38,7 @@ const PubSubConfig = ({ retryDelay = 5000 } : IProps) => {
     socketRef.current = io(`${getBaseApiUrl()}/pub-sub`, {
       forceNew: true,
       query: { instanceId },
+      extraHeaders: { [CustomHeaders.WindowId]: window.windowId || '' },
       rejectUnauthorized: false,
     })
 

redisinsight/ui/src/constants/api.ts

@@ -114,6 +114,11 @@ enum ApiEndpoints {
   FEATURES = 'features',
 }
 
+export enum CustomHeaders {
+  DbIndex = 'ri-db-index',
+  WindowId = 'x-window-id',
+}
+
 export const DEFAULT_SEARCH_MATCH = '*'
 
 const SCAN_COUNT_DEFAULT_ENV = process.env.SCAN_COUNT_DEFAULT || '500'

redisinsight/ui/src/services/apiService.ts

@@ -2,6 +2,7 @@ import axios, { AxiosRequestConfig } from 'axios'
 import { isNumber } from 'lodash'
 import { sessionStorageService } from 'uiSrc/services'
 import { BrowserStorageItem } from 'uiSrc/constants'
+import { CustomHeaders } from 'uiSrc/constants/api'
 
 const { apiPort } = window.app.config
 const baseApiUrl = process.env.BASE_API_URL
@@ -26,12 +27,12 @@ export const requestInterceptor = (config: AxiosRequestConfig) => {
       const dbIndex = sessionStorageService.get(`${BrowserStorageItem.dbIndex}${instanceId}`)
 
       if (isNumber(dbIndex)) {
-        config.headers['ri-db-index'] = dbIndex
+        config.headers[CustomHeaders.DbIndex] = dbIndex
       }
     }
 
     if (window.windowId) {
-      config.headers['x-window-id'] = window.windowId
+      config.headers[CustomHeaders.WindowId] = window.windowId
     }
   }