semi-functional allow-list implementation in historyKeeper
This commit is contained in:
ansuz
@@ -46,6 +46,8 @@ module.exports.create = function (config, cb) {
|
||||
paths: {},
|
||||
//msgStore: config.store,
|
||||
|
||||
netfluxUsers: {},
|
||||
|
||||
pinStore: undefined,
|
||||
pinnedPads: {},
|
||||
pinsLoaded: false,
|
||||
@@ -110,27 +112,81 @@ module.exports.create = function (config, cb) {
|
||||
// we drop cached metadata and indexes at the same time
|
||||
HK.dropChannel(Env, channelName);
|
||||
},
|
||||
channelOpen: function (Server, channelName, userId) {
|
||||
channelOpen: function (Server, channelName, userId, wait) {
|
||||
Env.channel_cache[channelName] = Env.channel_cache[channelName] || {};
|
||||
|
||||
//const metadata = Env.metadata_cache[channelName];
|
||||
// chainpad-server@4.0.3 supports a removeFromChannel method
|
||||
// Server.removeFromChannel(channelName, userId);
|
||||
// this lets us kick users from restricted channels
|
||||
var proceed = function () {
|
||||
Server.send(userId, [
|
||||
0,
|
||||
Env.id,
|
||||
'JOIN',
|
||||
channelName
|
||||
]);
|
||||
};
|
||||
|
||||
// XXX RESTRICT
|
||||
// this event is emitted whenever a user joins a channel.
|
||||
// if that channel is restricted then we should forcefully disconnect them.
|
||||
// we won't know that it's restricted until we load its metadata.
|
||||
// as long as metadata is in memory as long as anyone is sending messages to a channel
|
||||
// then we won't broadcast messages to unauthorized users
|
||||
// only conventional channels can be restricted
|
||||
if ((channelName || "").length !== 32) { // XXX use contants
|
||||
return proceed();
|
||||
}
|
||||
|
||||
Server.send(userId, [
|
||||
0,
|
||||
Env.id,
|
||||
'JOIN',
|
||||
channelName
|
||||
]);
|
||||
var next = wait();
|
||||
|
||||
// gets and caches the metadata...
|
||||
// XXX make sure it doesn't get stuck in cache...
|
||||
HK.getMetadata(Env, channelName, function (err, metadata) {
|
||||
if (err) {
|
||||
console.log("> METADATA ERR", err);
|
||||
throw new Error(err); // XXX
|
||||
}
|
||||
|
||||
if (!metadata || (metadata && !metadata.restricted)) {
|
||||
// the channel doesn't have metadata, or it does and it's not restricted
|
||||
// either way, let them join.
|
||||
proceed();
|
||||
return void next();
|
||||
}
|
||||
|
||||
// this channel is restricted. verify that the user in question is in the allow list
|
||||
|
||||
// construct a definitive list (owners + allowed)
|
||||
var allowed = HK.listAllowedUsers(metadata);
|
||||
// and get the list of keys for which this user has already authenticated
|
||||
var session = HK.getNetfluxSession(Env, userId);
|
||||
|
||||
// iterate over their keys. If any of them are in the allow list, let them join
|
||||
if (session) {
|
||||
for (var unsafeKey in session) {
|
||||
if (allowed.indexOf(unsafeKey) !== -1) {
|
||||
proceed();
|
||||
return void next();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// otherwise they're not allowed.
|
||||
// respond with a special error that includes the list of keys
|
||||
// which would be allowed...
|
||||
// XXX bonus points if you hash the keys to limit data exposure
|
||||
next(["ERESTRICTED"].concat(allowed));
|
||||
});
|
||||
},
|
||||
sessionClose: function (userId, reason) {
|
||||
HK.closeNetfluxSession(Env, userId);
|
||||
|
||||
// XXX RESTRICT drop user session data
|
||||
if (['BAD_MESSAGE', 'SOCKET_ERROR', 'SEND_MESSAGE_FAIL_2'].indexOf(reason) !== -1) {
|
||||
if (reason && reason.code === 'ECONNRESET') { return; }
|
||||
return void Log.error('SESSION_CLOSE_WITH_ERROR', {
|
||||
userId: userId,
|
||||
reason: reason,
|
||||
});
|
||||
}
|
||||
|
||||
if (reason && reason === 'SOCKET_CLOSED') { return; }
|
||||
Log.verbose('SESSION_CLOSE_ROUTINE', {
|
||||
userId: userId,
|
||||
reason: reason,
|
||||
});
|
||||
},
|
||||
directMessage: function (Server, seq, userId, json) {
|
||||
// netflux-server allows you to register an id with a handler
|
||||
|
||||
Reference in New Issue
Block a user