mardi 14 juillet 2020

Laravel Broadcasting - Private Channels Accessible Without Bearer Token

I have setup socket.io with laravel-echo to join and listen to laravel broadcasting channels. Public channels are working fine as they do not require any auth. Private channels are not working as expected, i am able to join any private channel with socket.io client without passing the authorization token.

Socket.io Client

window.Echo = new Echo({
    host: "http://127.0.0.1:6001",
    auth:{
        headers: {
            Accept: 'application/json',
            Authorization: 'Bearer ',
        },
    },
    broadcaster: 'socket.io',
});

window.Echo.private('user'+"."+userid)
.listen('Notification', (e) => {
    console.log(e);
})

Laravel-Echo-Server Config

{
"authHost": "http://127.0.0.1:8000",
"authEndpoint": "/broadcasting/auth",
"clients": [],
"database": "redis",
"databaseConfig": {
    "redis": {
        "port": "6379",
        "host": "localhost"
    },
    "sqlite": {}
},
"devMode": true,
"host": null,
"port": "6001",
"protocol": "http",
"socketio": {},
"secureOptions": 67108864,
"sslCertPath": "",
"sslKeyPath": "",
"sslCertChainPath": "",
"sslPassphrase": "",
"subscribers": {
    "http": true,
    "redis": true
},
"apiOriginAllow": {
    "allowCors": true,
    "allowOrigin": "localhost",
    "allowMethods": "GET, POST",
    "allowHeaders": "Origin, Content-Type, X-Auth-Token, X-Requested-With, Accept, Authorization, X-CSRF-TOKEN, X-Socket-Id"
}
}

Channel Routes

Broadcast::channel('user.{userId}', function ($user, $userId) {
    return (int) $user->id === (int) $userId;
});

BroadcastServiceProvider

Broadcast::routes(['middleware' => ['auth:api']]);

Auth Config

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
        'hash' => false,
    ],
],

127.0.0.1:8000/broadcasting/auth Response When Accessing Without Token

{"message":"Unauthenticated."}

Laravel-Echo-Server

[4:50:17 PM] - Preparing authentication request to: http://127.0.0.1:8000
[4:50:17 PM] - Sending auth request to: http://127.0.0.1:8000/broadcasting/auth
[4:50:17 PM] - LtnbMInYDGa_QMMcAAAA authenticated for: private-user.1
[4:50:17 PM] - LtnbMInYDGa_QMMcAAAA joined channel: private-user.1

So my guess is that laravel-echo-server is not returning false on response "Unauthenticated"

Any help will be appreciated



via Chebli Mohamed
Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire