socket-io middleware authentication

vaishnavachath · vaishnavachath · commit 93e675360a2b · 2018-06-29T05:38:18.000+05:30
expression session dependency was removed and simple socket.io middleware
 hash-challenge was used for authentication, modified the client and
server for the changes the passphrase can be supplied to serverstart already
as hash or as plaintext: the configuration files used for testing server.js were:
{
 "hash": true,
 "passphrase":"9f735e0df9a1ddc702bf0a1a7b83033f9f7153a00c29de82cedadc9957289b05",
 "port": 8000 ,
 "directory": "/usr/share/bone101"
 }
and
{
 "hash": false,
 "passphrase":"testpassword",
 "port": 8000 ,
 "directory": "/usr/share/bone101"
 }

also other unnecessary dependencies were removed, need to add test cases
diff --git a/package.json b/package.json
@@ -29,8 +29,6 @@
   "dependencies": {
     "chokidar": "2.0.3",
     "express": "4.13.4",
-    "express-session": "1.15.6",
-    "basic-auth": "2.0.0",
     "socket.io": "1.4.5",
     "systemd": "0.3.1",
     "winston": "2.1.1",
diff --git a/server.js b/server.js
@@ -12,8 +12,8 @@ fs.readFile(configFile, {
     } else {
         data = JSON.parse(data); //start server with saved config
         server = b.serverStart(data.port, data.directory, {
-            username: data.username,
-            password: data.password
+            data: data.passphrase,
+            hash: data.hash
         });
     }
     onServerStart();
diff --git a/src/bonescript.js b/src/bonescript.js
@@ -18,24 +18,14 @@ _bonescript.on.initialized = function () {};
 (function () {
     if (typeof document == 'undefined') {
         var io = require('socket.io-client');
-        var request = require('request');
-        var jar = request.jar();
+        var crypto = require('crypto');
         module.exports.startClient = function (host, callback) {
-            //get the cookie string to be send with the socket connection
-            var authUrl = 'http://' + host.address + ':' + host.port;
-            request.get({
-                url: authUrl,
-                jar: jar
-            }, function () {
-                const cookies = jar.getCookieString(authUrl);
-                _bonescript.on.initialized = callback;
-                var socket = _onSocketIOLoaded(host.address, host.port, io, {
-                    cookies: cookies,
-                    credentials: 'Basic ' + new Buffer(host.username + ':' + host.password).toString('base64')
-                });
-            });
+            var passphrase_hash;
+            if (host.password)
+                passphrase_hash = crypto.createHash('sha256').update(host.password).digest("hex"); //generate sha256 hash for supplied password
+            _bonescript.on.initialized = callback;
+            var socket = _onSocketIOLoaded(host.address, host.port, io, passphrase_hash);
         }
-
         return;
     }
     require = myrequire;
@@ -48,7 +38,7 @@ _bonescript.on.initialized = function () {};
     scriptObj.onload = _onSocketIOLoaded;
 }());
 
-function _onSocketIOLoaded(host, port, socketio, headers) {
+function _onSocketIOLoaded(host, port, socketio, passphrase_hash) {
     //console.log("socket.io loaded");
     if (typeof host == 'undefined') host = '___INSERT_HOST___';
     if (typeof port == 'undefined') port = 80;
@@ -57,8 +47,7 @@ function _onSocketIOLoaded(host, port, socketio, headers) {
     if (typeof host == 'string')
         socket = socketio('http://' + host + ':' + port, {
             extraHeaders: {
-                'Cookie': headers.cookies,
-                'Authorization': headers.credentials
+                'Authorization': typeof passphrase_hash != 'undefined' ? passphrase_hash : null //send passphrase_has as Authorization extraheader
             }
         });
     else
diff --git a/src/server.js b/src/server.js
@@ -6,6 +6,7 @@ var http = require('http');
 var winston = require('winston');
 var express = require('express');
 var events = require('events');
+var crypto = require('crypto');
 var socketHandlers = require('./socket_handlers');
 
 var serverEmitter = new events.EventEmitter();
@@ -16,14 +17,21 @@ myrequire('systemd', function () {
     if (debug) winston.debug("Startup as socket-activated service under systemd not enabled");
 });
 
-var serverStart = function (port, directory, credentials, callback) {
+var serverStart = function (port, directory, passphrase, callback) {
     if (port === undefined) {
         port = (process.env.LISTEN_PID > 0) ? 'systemd' : ((process.env.PORT) ? process.env.PORT : 80);
     }
     if (directory === undefined) {
         directory = (process.env.SERVER_DIR) ? process.env.SERVER_DIR : '/usr/share/bone101';
     }
-    var server = mylisten(port, directory, credentials);
+    var passphrase_hash;
+    if (passphrase) {
+        if (passphrase.hash) //whether passphrase supplied as hash/text
+            passphrase_hash = passphrase.data;
+        else
+            passphrase_hash = crypto.createHash('sha256').update(passphrase.data).digest("hex"); //generate hash
+    }
+    var server = mylisten(port, directory, passphrase_hash);
     serverEmitter.on('newListner', addServerListener);
 
     function addServerListener(event, listener) {
@@ -46,15 +54,15 @@ var serverStart = function (port, directory, credentials, callback) {
     return (serverEmitter);
 };
 
-function mylisten(port, directory, credentials) {
+function mylisten(port, directory, passphrase_hash) {
     winston.info("Opening port " + port + " to serve up " + directory);
     var app = express();
     app.get('/bonescript.js', socketHandlers.socketJSReqHandler);
     app.use('/bone101', express.static(directory));
     app.use('/bone101/static', express.static(directory + "/static"));
     app.use(express.static(directory));
     var server = http.createServer(app);
-    socketHandlers.addSocketListeners(server, serverEmitter, credentials);
+    socketHandlers.addSocketListeners(server, serverEmitter, passphrase_hash);
     server.listen(port);
     return (server);
 }
diff --git a/src/socket_handlers.js b/src/socket_handlers.js
@@ -9,21 +9,6 @@ var winston = require('winston');
 var socketio = require('socket.io');
 var debug = process.env.DEBUG ? true : false;
 
-var expressSession = require('express-session');
-var auth = require('basic-auth');
-var sessionStore = new expressSession.MemoryStore();
-
-var session = expressSession({
-    name: "connect.sid",
-    secret: "secretkey",
-    cookie: {
-        httpOnly: true
-    },
-    saveUninitialized: true,
-    resave: true,
-    store: sessionStore
-});
-
 var socketJSReqHandler = function (req, res) {
     function sendFile(err, file) {
         if (err) {
@@ -47,44 +32,32 @@ var socketJSReqHandler = function (req, res) {
     }
 }
 
-var addSocketListeners = function (server, serverEmitter, credentials) {
+var addSocketListeners = function (server, serverEmitter, passphrase_hash) {
     var io = socketio(server);
-    io.use(function (socket, next) { //use the session middleware
-        session(socket.request, socket.request.res, function () {
-            var user = auth(socket.request);
-            if (socket.request.sessionID) {
-                if (credentials) {
-                    if (user)
-                        socket.request.session.isLoggedIn = (user.name == credentials.username && user.pass == credentials.password);
-                    socket.request.session.isSecure = true;
+    if (passphrase_hash) { //attach middleware to handle authentication
+        io.use(function (socket, next) {
+            socket.auth = false; //consider the all sockets initially as unauthorized 
+            if (socket.handshake.headers.authorization) {
+                if (socket.handshake.headers.authorization == passphrase_hash) {
+                    socket.auth = true; //authorize the socket
+                    next();
                 } else
-                    socket.request.session.isSecure = false;
-                sessionStore.get(socket.request.sessionID, function (err, session) {
-                    if (!session)
-                        socket.request.session.save(); //store the session only if not already existing
-                    authenticateSession();
-                });
-            } else
-                next(new Error('no cookie data sent!!'));
-
-            function authenticateSession() {
-                sessionStore.get(socket.request.sessionID, function (err, session) {
-                    if (!session)
-                        next(new Error('session not found!!'));
-                    else if (session.isLoggedIn || !session.isSecure)
-                        next();
-                    else
-                        next(new Error('user not logged in!!check username or password'));
-                });
+                    next(new Error("Authentication Failed : incorrect passphrase !!"));
+            } else {
+                next(new Error("Authentication data not send !!"));
             }
         });
-    });
+    }
     if (debug) winston.debug('Listening for new socket.io clients');
-    io.on('connection', onconnect);
+    io.on('connection', function (socket) {
+        if (socket.auth || !passphrase_hash)
+            onconnect(socket);
+        else
+            socket.disconnect('unauthorized');
+    });
 
     function onconnect(socket) {
         winston.debug('Client connected');
-
         serverEmitter.emit('socket$connect', socket);
 
         // on disconnect
diff --git a/test/test-rpc_secure.js b/test/test-rpc_secure.js
@@ -4,8 +4,8 @@ var myserver = null;
 
 exports.setUp = function (callback) {
     server.serverStart(8000, process.cwd(), { // create a secure server by supplying credentials
-        username: 'testuser',
-        password: 'testpass'
+        data: 'testpass',
+        hash: false
     }, mycb);
 
     function mycb(serverobj) {
@@ -18,11 +18,12 @@ exports.testRPC_secure1 = function (test) {
     test.expect(1);
     bonescript.startClient({ // this should throw an  authentication error
         address: '127.0.0.1',
-        port: 8000
+        port: 8000,
+        password: 'tdestpass'
     }, function () {});
     process.on('uncaughtException', function (err) {
         console.log(err.toString());
-        test.equals(err.toString(), 'Error: user not logged in!!check username or password');
+        test.equals(err.toString(), 'Error: Authentication Failed : incorrect passphrase !!');
         myserver.close();
         test.done();
     });
@@ -33,7 +34,6 @@ exports.testRPC_secure2 = function (test) {
     bonescript.startClient({
         address: '127.0.0.1',
         port: 8000,
-        username: 'testuser',
         password: 'testpass' // will not throw any error
     }, function () {
         var b = bonescript.require('bonescript');
