access control

Author: snowinszu

.github/workflows/docker-build.yml

@@ -35,5 +35,5 @@ jobs:
                 with:
                     push: true
                     platforms: linux/amd64
-                    tags: cdnbye/cbsignal_uws:latest
-#                    tags: cdnbye/cbsignal_uws:5.4.9
+#                    tags: cdnbye/cbsignal_uws:latest
+                    tags: cdnbye/cbsignal_uws:5.5.0

config/config.yaml

@@ -44,7 +44,11 @@ node:
   msg_consume_interval: 60
   max_pipe_length: 800
 
-
+#access:
+#  allowDomains:
+#    - example.com
+#  denyDomains:
+#    - example.com
 
 
 

lib/server.js

@@ -6,7 +6,7 @@ const cluster = require('cluster');
 const redis = require('./broker/redis');
 const Client = require('./client');
 const { checkToken, readJson, setCorsHeaders } = require("./utils/guard");
-const { getCPULoadAVG, getLocalIp, getVersionNum, ensureDirectory } = require("./utils/tool");
+const { getCPULoadAVG, getLocalIp, getVersionNum, ensureDirectory, getDomainFromOrigin } = require("./utils/tool");
 // const cpuOverload = new (require('./utils/cpuOverload'))(10, 80, 0.8);
 const decoder = new StringDecoder();
 const inspector = require("node:inspector");
@@ -16,7 +16,7 @@ const versionNumber = getVersionNum(version);
 const COMPACT_VERSION = "1";
 
 class Server {
-    constructor(hub, logger, endPoint, stats, ratelimit, security, compression, compact, extra = {}) {
+    constructor(hub, logger, endPoint, stats, ratelimit, security, compression, compact, access, extra = {}) {
         this.logger = logger;
         this.extra = extra;
         this.hub = hub;
@@ -33,19 +33,64 @@ class Server {
             this.limiter = new RateLimiter({ tokensPerInterval: ratelimit.max_rate, interval: "second" });
         }
         this.security = security || {};
+        this.access = access || {};
+        this.validateOrigin = false;
         this.stats = stats || {};
         this.compression = compression || {};
         this.compact = compact || {};
         this.internalIp = getLocalIp();
         // cpuOverload.check().then().catch(err => {
         //     logger.error(err)
         // });
+        this.validateAccess();
         this.app = this.isSSL ? SSLApp({
             key_file_name: endPoint.key,
             cert_file_name: endPoint.cert,
         }) : App();
     }
 
+    validateAccess() {
+        if (this.access.allowDomains !== undefined) {
+            if (this.access.denyDomains !== undefined) {
+                throw new Error(
+                    "allowDomains and denyDomains can't be set simultaneously",
+                );
+            } else if (!(this.access.allowDomains instanceof Array)) {
+                throw new Error(
+                    "allowDomains configuration parameters should be an array of strings",
+                );
+            }
+        } else if (
+            this.access.denyDomains !== undefined &&
+            !(this.access.denyDomains instanceof Array)
+        ) {
+            throw new Error(
+                "denyDomains configuration parameters should be an array of strings",
+            );
+        }
+
+        const origins = this.access.allowDomains ?? this.access.denyDomains;
+
+        if (origins !== undefined) {
+            for (const origin of origins) {
+                if (typeof origin !== "string") {
+                    throw new Error(
+                        "allowDomains and denyDomains configuration parameters should be arrays of strings",
+                    );
+                }
+            }
+        }
+
+        if (this.access.allowDomains) {
+            this.access.allowDomains = new Set(this.access.allowDomains);
+            this.validateOrigin = true
+        }
+        if (this.access.denyDomains) {
+            this.access.denyDomains = new Set(this.access.denyDomains);
+            this.validateOrigin = true
+        }
+    }
+
     buildServer() {
         this.app
             .get('/health', (response) => {
@@ -263,6 +308,7 @@ class Server {
         const secWebSocketKey = req.getHeader("sec-websocket-key");
         const secWebSocketProtocol = req.getHeader("sec-websocket-protocol");
         const secWebSocketExtensions = req.getHeader("sec-websocket-extensions");
+        const origin = req.getHeader("origin");
         const id = req.getQuery("id");
         const token = req.getQuery("token");
         const compactVersion = req.getQuery("c");
@@ -279,7 +325,7 @@ class Server {
             return
         }
         res.upgrade(
-            { id, token, compactVersion, device, batchable },
+            { id, token, compactVersion, device, batchable, origin },
             secWebSocketKey,
             secWebSocketProtocol,
             secWebSocketExtensions,
@@ -288,7 +334,7 @@ class Server {
     }
 
     _onOpen(ws) {
-        const { id, token, compactVersion, device, batchable } = ws.getUserData();
+        const { id, token, compactVersion, device, batchable, origin } = ws.getUserData();
         if (!id || id.length < 6) {
             ws.end(4000, 'id is not valid');
             return
@@ -297,6 +343,17 @@ class Server {
             ws.end(4000, 'token is not valid');
             return
         }
+        if (this.validateOrigin) {
+            const domain = getDomainFromOrigin(origin);
+            const shouldDeny = !!domain &&
+                (this.access.denyDomains?.has(domain) ||
+                    this.access.allowDomains?.has(domain) === false);
+            if (shouldDeny) {
+                this.logger.warn(`denied domain ${domain}`);
+                ws.end(4000, 'domain is denied');
+                return
+            }
+        }
         let client = this.hub.getClient(id);
         if (client) {
             // this.logger.info(`${id} is already exist`);

lib/utils/tool.js

@@ -123,6 +123,18 @@ const ensureDirectory = (dir) => {
     });
 }
 
+function getDomainFromOrigin(origin) {
+    if (!origin || origin === 'null') return null;
+
+    try {
+        const url = new URL(origin);
+        return url.hostname;
+    } catch (error) {
+        // console.error('Invalid origin:', origin);
+        return null;
+    }
+}
+
 module.exports = {
     getCertInfo,
     getCPULoadAVG,
@@ -133,4 +145,5 @@ module.exports = {
     randomNum,
     timeout,
     ensureDirectory,
+    getDomainFromOrigin,
 }

lib/worker.js

@@ -69,7 +69,7 @@ const startWorker = async (config = {}) => {
         }
     }
     for (let item of [...ports, ...sslPorts]) {
-        const server = new Server(hub, logger, item, config.stats, config.ratelimit, config.security, config.compression, config.compact, extra)
+        const server = new Server(hub, logger, item, config.stats, config.ratelimit, config.security, config.compression, config.compact, config.access, extra)
             .buildServer().run();
         servers.push(server);
     }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cbsignal_uws",
-  "version": "5.4.9",
+  "version": "5.5.0",
   "description": "SwarmCloud signaling server using uWebSockets.js",
   "main": "index.js",
   "bin": "index.js",