Reputation: 721
Laravel Broadcasting - Private Channels Accessible Without Bearer Token
I have setup socket.io with laravel-echo to join and listen to laravel broadcasting channels. Public channels are working fine as they do not require any auth. Private channels are not working as expected, i am able to join any private channel with socket.io client without passing the authorization token.
Socket.io Client
window.Echo = new Echo({
host: "http://127.0.0.1:6001",
auth:{
headers: {
Accept: 'application/json',
Authorization: 'Bearer ',
},
},
broadcaster: 'socket.io',
});
window.Echo.private('user'+"."+userid)
.listen('Notification', (e) => {
console.log(e);
})
Laravel-Echo-Server Config
{
"authHost": "http://127.0.0.1:8000",
"authEndpoint": "/broadcasting/auth",
"clients": [],
"database": "redis",
"databaseConfig": {
"redis": {
"port": "6379",
"host": "localhost"
},
"sqlite": {}
},
"devMode": true,
"host": null,
"port": "6001",
"protocol": "http",
"socketio": {},
"secureOptions": 67108864,
"sslCertPath": "",
"sslKeyPath": "",
"sslCertChainPath": "",
"sslPassphrase": "",
"subscribers": {
"http": true,
"redis": true
},
"apiOriginAllow": {
"allowCors": true,
"allowOrigin": "localhost",
"allowMethods": "GET, POST",
"allowHeaders": "Origin, Content-Type, X-Auth-Token, X-Requested-With, Accept, Authorization, X-CSRF-TOKEN, X-Socket-Id"
}
}
Channel Routes
Broadcast::channel('user.{userId}', function ($user, $userId) {
return (int) $user->id === (int) $userId;
});
BroadcastServiceProvider
Broadcast::routes(['middleware' => ['auth:api']]);
Auth Config
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
'hash' => false,
],
],
127.0.0.1:8000/broadcasting/auth Response When Accessing Without Token
{"message":"Unauthenticated."}
Laravel-Echo-Server
[4:50:17 PM] - Preparing authentication request to: http://127.0.0.1:8000
[4:50:17 PM] - Sending auth request to: http://127.0.0.1:8000/broadcasting/auth
[4:50:17 PM] - LtnbMInYDGa_QMMcAAAA authenticated for: private-user.1
[4:50:17 PM] - LtnbMInYDGa_QMMcAAAA joined channel: private-user.1
So my guess is that laravel-echo-server is not returning false on response "Unauthenticated"
Any help will be appreciated
Upvotes: 1
Views: 6552
Answers (1)
Reputation: 721
Alright, this was fun solving. I decided to check how laravel-echo-server is requesting to "broadcasting/auth" and how its handling the response of that request.
You can have a look at here : https://github.com/tlaverdure/laravel-echo-server/blob/master/src/channels/private-channel.ts
So laravel-echo-server returns true if the response code of broadcasting/auth is 200 and returns false if the response code is not 200 or if there was an error requesting.
The problem here is that when you send a request to laravel api route handled by passport authentication , it does return "Unauthenticated" message but without 401 code due to which the laravel-echo-server thinks that the request was successful and allows the user to join the channel.
Solution:
- Returning 401 Code With Passport Unauthenticated Response
- Middleware for Channel Authentication
Returning 401 Code With Passport Unauthenticated Response
projectdir\app\Exceptions Handler.php
...
use Illuminate\Auth\AuthenticationException;
...
public function render($request, Exception $exception)
{
if($exception instanceof AuthenticationException){
return response()->json(['message' => $exception->getMessage()], 401);
}else{
return response()->json(['message' => $exception->getMessage() ]);
}
return parent::render($request, $exception);
}
Middleware for Channel Authentication
php artisan make:middleware [name]
projectdir\app\Http\Middleware [name].php
use Closure;
use Illuminate\Support\Facades\Auth;
class SocketAuth
{
public function handle($request, Closure $next)
{
$user = Auth::User();
if($user !== null){
if($request->channel_name == "private-user.".$user->id){
return $next($request);
}else{
return response()->json(["message" => "Unauthenticated."], 401);
}
}
return response()->json(["message" => "Unauthenticated."], 401);
}
}
BroadcastServiceProvider
Broadcast::routes(["prefix" => "api", 'middleware' => ['auth:api', 'SocketAuth']]);
Register Middleware
projectdir\app\Http Kernel.php
protected $routeMiddleware = [
...
'SocketAuth' => \App\Http\Middleware\SocketAuth::class,
];
Laravel-Echo-Server Config
"authEndpoint": "/api/broadcasting/auth",
Result
Unauthenticated 401 - (Laravel-Echo-Server False) On : [ No token present in request from client side, Requested user channel !== Requesting user's channel ]
Authenticated 200 - (Laravel-Echo-Server True) On : [ Token present in request from client side and Requested user channel == Requesting user's channel ]
You can apply your logic for authenticating users to channels in the middleware.
Upvotes: 1
Related Questions
- How can I set public channel without any authentication on broadcasting laravel?
- Laravel Broadcast authentication
- Private channel not working with Laravel echo server
- laravel broadcasting for multiple guard
- How to define or pass auth guard for broadcast authentication routes instead of default auth guard?
- laravel broadcasting in admin guard
- Laravel authorization for Broadcast channels not working
- Authorization for laravel passport through socket.io for broadcasting channels
- Laravel Broadcast to a private channel using Socket.io
- Laravel broadcasting: private channels not working due to auth error