add security to websockets

Author: rjwats

interface/src/authentication/Authentication.ts

@@ -61,3 +61,13 @@ export function redirectingAuthorizedFetch(url: RequestInfo, params?: RequestIni
     });
   });
 }
+
+export function addAccessTokenParameter(url: string) {
+  const accessToken = localStorage.getItem(ACCESS_TOKEN);
+  if (!accessToken) {
+    return url;
+  }
+  const parsedUrl = new URL(url);
+  parsedUrl.searchParams.set(ACCESS_TOKEN, accessToken);
+  return parsedUrl.toString();
+}

interface/src/components/SocketController.tsx

@@ -3,6 +3,7 @@ import Sockette from 'sockette';
 import throttle from 'lodash/throttle';
 import { withSnackbar, WithSnackbarProps } from 'notistack';
 
+import { addAccessTokenParameter } from '../authentication';
 import { extractEventValue } from '.';
 
 export interface SocketControllerProps<D> extends WithSnackbarProps {
@@ -47,7 +48,7 @@ export function socketController<D, P extends SocketControllerProps<D>>(wsUrl: s
       constructor(props: Omit<P, keyof SocketControllerProps<D>> & WithSnackbarProps) {
         super(props);
         this.state = {
-          ws: new Sockette(wsUrl, {
+          ws: new Sockette(addAccessTokenParameter(wsUrl), {
             onmessage: this.onMessage,
             onopen: this.onOpen,
             onclose: this.onClose,

lib/framework/SecurityManager.h

@@ -8,6 +8,8 @@
 
 #define DEFAULT_JWT_SECRET "esp8266-react"
 
+#define ACCESS_TOKEN_PARAMATER "access_token"
+
 #define AUTHORIZATION_HEADER "Authorization"
 #define AUTHORIZATION_HEADER_PREFIX "Bearer "
 #define AUTHORIZATION_HEADER_PREFIX_LEN 7
@@ -72,6 +74,11 @@ class SecurityManager {
    */
   virtual String generateJWT(User* user) = 0;
 
+  /**
+   * Filter a request with the provided predicate, only returning true if the predicate matches.
+   */
+  virtual ArRequestFilterFunction filterRequest(AuthenticationPredicate predicate) = 0;
+
   /**
    * Wrap the provided request to provide validation against an AuthenticationPredicate.
    */

lib/framework/SecuritySettingsService.cpp

@@ -22,6 +22,10 @@ Authentication SecuritySettingsService::authenticateRequest(AsyncWebServerReques
       value = value.substring(AUTHORIZATION_HEADER_PREFIX_LEN);
       return authenticateJWT(value);
     }
+  } else if (request->hasParam(ACCESS_TOKEN_PARAMATER)) {
+    AsyncWebParameter* tokenParamater = request->getParam(ACCESS_TOKEN_PARAMATER);
+    String value = tokenParamater->value();
+    return authenticateJWT(value);
   }
   return Authentication();
 }
@@ -73,6 +77,13 @@ String SecuritySettingsService::generateJWT(User* user) {
   return _jwtHandler.buildJWT(payload);
 }
 
+ArRequestFilterFunction SecuritySettingsService::filterRequest(AuthenticationPredicate predicate) {
+  return [this, predicate](AsyncWebServerRequest* request) {
+    Authentication authentication = authenticateRequest(request);
+    return predicate(authentication);
+  };
+}
+
 ArRequestHandlerFunction SecuritySettingsService::wrapRequest(ArRequestHandlerFunction onRequest,
                                                               AuthenticationPredicate predicate) {
   return [this, onRequest, predicate](AsyncWebServerRequest* request) {

lib/framework/SecuritySettingsService.h

@@ -63,6 +63,7 @@ class SecuritySettingsService : public SettingsService<SecuritySettings>, public
   Authentication authenticate(String& username, String& password);
   Authentication authenticateRequest(AsyncWebServerRequest* request);
   String generateJWT(User* user);
+  ArRequestFilterFunction filterRequest(AuthenticationPredicate predicate);
   ArRequestHandlerFunction wrapRequest(ArRequestHandlerFunction onRequest, AuthenticationPredicate predicate);
   ArJsonRequestHandlerFunction wrapCallback(ArJsonRequestHandlerFunction callback, AuthenticationPredicate predicate);
 

lib/framework/SettingsSocket.h

@@ -14,8 +14,6 @@
 
 /**
  * SettingsSocket is designed to provide WebSocket based communication for making and observing updates to settings.
- *
- * TODO - Security via a parameter, optional on construction to start!
  */
 template <class T>
 class SettingsSocket {
@@ -24,12 +22,16 @@ class SettingsSocket {
                  SettingsDeserializer<T>* settingsDeserializer,
                  SettingsService<T>* settingsService,
                  AsyncWebServer* server,
-                 char const* socketPath) :
+                 char const* socketPath,
+                 SecurityManager* securityManager,
+                 AuthenticationPredicate authenticationPredicate = AuthenticationPredicates::IS_ADMIN) :
       _settingsSerializer(settingsSerializer),
       _settingsDeserializer(settingsDeserializer),
       _settingsService(settingsService),
       _server(server),
       _webSocket(socketPath) {
+    _settingsService->addUpdateHandler([&](String originId) { transmitData(nullptr, originId); }, false);
+    _webSocket.setFilter(securityManager->filterRequest(authenticationPredicate));
     _webSocket.onEvent(std::bind(&SettingsSocket::onWSEvent,
                                  this,
                                  std::placeholders::_1,
@@ -38,7 +40,29 @@ class SettingsSocket {
                                  std::placeholders::_4,
                                  std::placeholders::_5,
                                  std::placeholders::_6));
+    _server->addHandler(&_webSocket);
+    _server->on(socketPath, HTTP_GET, std::bind(&SettingsSocket::forbidden, this, std::placeholders::_1));
+  }
+  
+  SettingsSocket(SettingsSerializer<T>* settingsSerializer,
+                 SettingsDeserializer<T>* settingsDeserializer,
+                 SettingsService<T>* settingsService,
+                 AsyncWebServer* server,
+                 char const* socketPath) :
+      _settingsSerializer(settingsSerializer),
+      _settingsDeserializer(settingsDeserializer),
+      _settingsService(settingsService),
+      _server(server),
+      _webSocket(socketPath) {
     _settingsService->addUpdateHandler([&](String originId) { transmitData(nullptr, originId); }, false);
+    _webSocket.onEvent(std::bind(&SettingsSocket::onWSEvent,
+                                 this,
+                                 std::placeholders::_1,
+                                 std::placeholders::_2,
+                                 std::placeholders::_3,
+                                 std::placeholders::_4,
+                                 std::placeholders::_5,
+                                 std::placeholders::_6));
     _server->addHandler(&_webSocket);
   }
 
@@ -50,8 +74,15 @@ class SettingsSocket {
   AsyncWebSocket _webSocket;
 
   /**
-   * Responds to the WSEvent by sending the current settings to the clients when they connect and by applying the changes
-   * sent to the socket directly to the settings service.
+   * Renders a forbidden respnose to the client if they fail to connect.
+   */
+  void forbidden(AsyncWebServerRequest* request) {
+    request->send(403);
+  }
+
+  /**
+   * Responds to the WSEvent by sending the current settings to the clients when they connect and by applying the
+   * changes sent to the socket directly to the settings service.
    */
   void onWSEvent(AsyncWebSocket* server,
                  AsyncWebSocketClient* client,

src/LightSettingsService.cpp

@@ -12,7 +12,7 @@ LightSettingsService::LightSettingsService(AsyncWebServer* server,
                                            LightBrokerSettingsService* lightBrokerSettingsService) :
     _settingsEndpoint(&SERIALIZER, &DESERIALIZER, this, server, LIGHT_SETTINGS_ENDPOINT_PATH, securityManager),
     _settingsBroker(&HA_SERIALIZER, &HA_DESERIALIZER, this, mqttClient),
-    _settingsSocket(&SERIALIZER, &DESERIALIZER, this, server, LIGHT_SETTINGS_SOCKET_PATH),
+    _settingsSocket(&SERIALIZER, &DESERIALIZER, this, server, LIGHT_SETTINGS_SOCKET_PATH, securityManager),
     _mqttClient(mqttClient),
     _lightBrokerSettingsService(lightBrokerSettingsService) {
   // configure blink led to be output