security: WS auth via first-message, not query string
Tokens in URL leak through proxy access logs, browser history and
Referer headers. Now: WS opens unauthenticated, client sends
{type:'auth', token} as first message; server responds with
{type:'auth_ok'} and starts normal message processing.
5-second timeout closes any unauthenticated connection.
Frontend queues session join until auth_ok received.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Maxim Dolgolyov
+34
-16
@@ -279,27 +279,21 @@ function attach(httpServer) {
|
||||
const wss = new WebSocketServer({ server: httpServer, path: '/ws' });
|
||||
_wss = wss;
|
||||
|
||||
wss.on('connection', (ws, req) => {
|
||||
/* ── Auth ── */
|
||||
let user = null;
|
||||
try {
|
||||
const url = new URL(req.url, 'http://localhost');
|
||||
const token = url.searchParams.get('token') || '';
|
||||
user = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
|
||||
} catch {
|
||||
ws.close(4001, 'Unauthorized');
|
||||
return;
|
||||
}
|
||||
|
||||
ws.userId = user.id;
|
||||
ws.userName = user.name || user.email || '';
|
||||
wss.on('connection', (ws) => {
|
||||
ws.userId = null;
|
||||
ws.userName = '';
|
||||
ws.isAlive = true;
|
||||
|
||||
ws.on('pong', () => { ws.isAlive = true; });
|
||||
|
||||
ws._msgCount = 0;
|
||||
ws._msgCount = 0;
|
||||
ws._msgWindowStart = Date.now();
|
||||
|
||||
// Close unauthenticated connections after 5s
|
||||
ws._authTimer = setTimeout(() => {
|
||||
if (!ws.userId) { try { ws.close(4001, 'Auth timeout'); } catch {} }
|
||||
}, 5000);
|
||||
|
||||
ws.on('message', raw => {
|
||||
// Rate-limit: max 120 messages per second per connection
|
||||
const now = Date.now();
|
||||
@@ -308,13 +302,37 @@ function attach(httpServer) {
|
||||
|
||||
let msg;
|
||||
try { msg = JSON.parse(raw); } catch { return; }
|
||||
|
||||
// Pre-auth: only {type:'auth', token} accepted
|
||||
if (!ws.userId) {
|
||||
if (msg.type !== 'auth' || !msg.token) {
|
||||
try { ws.close(4001, 'Auth required'); } catch {}
|
||||
return;
|
||||
}
|
||||
try {
|
||||
const user = jwt.verify(msg.token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
|
||||
ws.userId = user.id;
|
||||
ws.userName = user.name || user.email || '';
|
||||
clearTimeout(ws._authTimer);
|
||||
ws._authTimer = null;
|
||||
try { ws.send(JSON.stringify({ type: 'auth_ok' })); } catch {}
|
||||
} catch {
|
||||
try { ws.close(4001, 'Invalid token'); } catch {}
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// Post-auth: normal handler
|
||||
try { _handleMessage(ws, msg); } catch (e) {
|
||||
// swallow — never crash the WS server on bad input
|
||||
}
|
||||
});
|
||||
|
||||
ws.on('error', () => {});
|
||||
ws.on('close', () => { _unregisterUser(ws); });
|
||||
ws.on('close', () => {
|
||||
if (ws._authTimer) { clearTimeout(ws._authTimer); ws._authTimer = null; }
|
||||
if (ws.userId) _unregisterUser(ws);
|
||||
});
|
||||
});
|
||||
|
||||
/* ── Ping/pong keepalive (30s) ── */
|
||||
|
||||
Reference in New Issue
Block a user