diff --git a/config/websockets.php b/config/websockets.php index a3fc7bb8b3..74075b5c52 100644 --- a/config/websockets.php +++ b/config/websockets.php @@ -1,5 +1,7 @@ 'laravel-websockets', + /* + * Dashboard Routes Middleware + * + * These middleware will be assigned to every dashboard route, giving you + * the chance to add your own middleware to this list or change any of + * the existing middleware. Or, you can simply stick with this list. + */ + 'middleware' => [ + 'web', + Authorize::class, + ], + 'statistics' => [ /* * This model will be used to store the statistics of the WebSocketsServer. diff --git a/resources/views/dashboard.blade.php b/resources/views/dashboard.blade.php index 74137a5521..d929253a23 100644 --- a/resources/views/dashboard.blade.php +++ b/resources/views/dashboard.blade.php @@ -120,7 +120,8 @@ authEndpoint: '/{{ request()->path() }}/auth', auth: { headers: { - 'X-CSRF-Token': "{{ csrf_token() }}" + 'X-CSRF-Token': "{{ csrf_token() }}", + 'X-App-ID': this.app.id } }, enabledTransports: ['ws', 'flash'] diff --git a/src/Dashboard/Http/Controllers/AuthenticateDashboard.php b/src/Dashboard/Http/Controllers/AuthenticateDashboard.php index 8e58775fca..23c11108f1 100644 --- a/src/Dashboard/Http/Controllers/AuthenticateDashboard.php +++ b/src/Dashboard/Http/Controllers/AuthenticateDashboard.php @@ -2,13 +2,29 @@ namespace BeyondCode\LaravelWebSockets\Dashboard\Http\Controllers; +use Pusher\Pusher; use Illuminate\Http\Request; -use Illuminate\Contracts\Broadcasting\Broadcaster; +use BeyondCode\LaravelWebSockets\Apps\App; +use Illuminate\Broadcasting\Broadcasters\PusherBroadcaster; class AuthenticateDashboard { - public function __invoke(Request $request, Broadcaster $broadcaster) + public function __invoke(Request $request) { + /** + * Find the app by using the header + * and then reconstruct the PusherBroadcaster + * using our own app selection. + */ + $app = App::findById($request->header('x-app-id')); + + $broadcaster = new PusherBroadcaster(new Pusher( + $app->key, + $app->secret, + $app->id, + [] + )); + /* * Since the dashboard itself is already secured by the * Authorize middleware, we can trust all channel diff --git a/src/Dashboard/Http/Middleware/Authorize.php b/src/Dashboard/Http/Middleware/Authorize.php index 772107fc78..1883c35eef 100644 --- a/src/Dashboard/Http/Middleware/Authorize.php +++ b/src/Dashboard/Http/Middleware/Authorize.php @@ -8,6 +8,6 @@ class Authorize { public function handle($request, $next) { - return Gate::check('viewWebSocketsDashboard') ? $next($request) : abort(403); + return Gate::check('viewWebSocketsDashboard', [$request->user()]) ? $next($request) : abort(403); } } diff --git a/src/WebSocketsServiceProvider.php b/src/WebSocketsServiceProvider.php index afacde5d6b..9c57842096 100644 --- a/src/WebSocketsServiceProvider.php +++ b/src/WebSocketsServiceProvider.php @@ -64,7 +64,7 @@ public function register() protected function registerRoutes() { Route::prefix(config('websockets.path'))->group(function () { - Route::middleware(AuthorizeDashboard::class)->group(function () { + Route::middleware(config('websockets.middleware', [AuthorizeDashboard::class]))->group(function () { Route::get('/', ShowDashboard::class); Route::get('/api/{appId}/statistics', [DashboardApiController::class, 'getStatistics']); Route::post('auth', AuthenticateDashboard::class);