MCorange/wings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix incorrect error handling logic when a JWT is created wrongly; closes pterodactyl/panel#3295

Browse Source 
Prior to this logic not only was the error response incorrect for events, but we registered event listeners before the authentication event; so if auth failed we flooded the socket with tons of output that was never going to be sent anyways.

This change now waits to register listeners until the socket is fully authenticated and we're guaranteed to have a token present.
This commit is contained in:
Dane Everitt
2021-10-25 21:23:45 -07:00
parent 023d7ec1ec
commit 32d6594476
3 changed files with 36 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
router/websocket/websocket.go
View File

@@ -269,7 +269,7 @@ func (h *Handler) setJwt(token *tokens.WebsocketPayload) {
}
// HandleInbound handles an inbound socket request and route it to the proper action.
func (h *Handler) HandleInbound(m Message) error {
func (h *Handler) HandleInbound(ctx context.Context, m Message) error {
if m.Event != AuthenticationEvent {
if err := h.TokenValid(); err != nil {
h.unsafeSendJson(Message{
@@ -285,13 +285,6 @@ func (h *Handler) HandleInbound(m Message) error {
{
token, err := NewTokenPayload([]byte(strings.Join(m.Args, "")))
if err != nil {
// If the error says the JWT expired, send a token expired
// event and hopefully the client renews the token.
if err == jwt.ErrExpValidation {
h.SendJson(&Message{Event: TokenExpiredEvent})
return nil
}
return err
}
@@ -304,10 +297,7 @@ func (h *Handler) HandleInbound(m Message) error {
h.setJwt(token)
// Tell the client they authenticated successfully.
h.unsafeSendJson(Message{
Event: AuthenticationSuccessEvent,
Args: []string{},
})
h.unsafeSendJson(Message{Event: AuthenticationSuccessEvent})
// Check if the client was refreshing their authentication token
// instead of authenticating for the first time.
@@ -317,6 +307,11 @@ func (h *Handler) HandleInbound(m Message) error {
return nil
}
// Now that we've authenticated with the token and confirmed that we're not
// reconnecting to the socket, register the event listeners for the server and
// the token expiration.
h.registerListenerEvents(ctx)
// On every authentication event, send the current server status back
// to the client. :)
state := h.server.Environment.State()