beyondcode · mpociot · Dec 17, 2018 · Dec 6, 2018 · Dec 6, 2018 · Dec 7, 2018
diff --git a/config/websockets.php b/config/websockets.php
@@ -1,5 +1,7 @@
 <?php
 
+use BeyondCode\LaravelWebSockets\Dashboard\Http\Middleware\Authorize;
+
 return [
 
     /*
@@ -47,6 +49,18 @@
      */
     'path' => 'laravel-websockets',
 
+    /*
+     * Dashboard Routes Middleware
+     *
+     * These middleware will be assigned to every dashboard route, giving you
+     * the chance to add your own middleware to this list or change any of
+     * the existing middleware. Or, you can simply stick with this list.
+     */
+    'middleware' => [
+        'web',
+        Authorize::class,
+    ],
+
     'statistics' => [
         /*
          * This model will be used to store the statistics of the WebSocketsServer.

diff --git a/resources/views/dashboard.blade.php b/resources/views/dashboard.blade.php
@@ -120,7 +120,8 @@
                     authEndpoint: '/{{ request()->path() }}/auth',
                     auth: {
                         headers: {
-                            'X-CSRF-Token': "{{ csrf_token() }}"
+                            'X-CSRF-Token': "{{ csrf_token() }}",
+                            'X-App-ID': this.app.id
                         }
                     },
                     enabledTransports: ['ws', 'flash']

diff --git a/src/Dashboard/Http/Controllers/AuthenticateDashboard.php b/src/Dashboard/Http/Controllers/AuthenticateDashboard.php
@@ -2,13 +2,29 @@
 
 namespace BeyondCode\LaravelWebSockets\Dashboard\Http\Controllers;
 
+use Pusher\Pusher;
 use Illuminate\Http\Request;
-use Illuminate\Contracts\Broadcasting\Broadcaster;
+use BeyondCode\LaravelWebSockets\Apps\App;
+use Illuminate\Broadcasting\Broadcasters\PusherBroadcaster;
 
 class AuthenticateDashboard
 {
-    public function __invoke(Request $request, Broadcaster $broadcaster)
+    public function __invoke(Request $request)
     {
+        /**
+         * Find the app by using the header
+         * and then reconstruct the PusherBroadcaster
+         * using our own app selection.
+         */
+        $app = App::findById($request->header('x-app-id'));
+
+        $broadcaster = new PusherBroadcaster(new Pusher(
+            $app->key,
+            $app->secret,
+            $app->id,
+            []
+        ));
+
         /*
          * Since the dashboard itself is already secured by the
          * Authorize middleware, we can trust all channel

diff --git a/src/Dashboard/Http/Middleware/Authorize.php b/src/Dashboard/Http/Middleware/Authorize.php
@@ -8,6 +8,6 @@ class Authorize
 {
     public function handle($request, $next)
     {
-        return Gate::check('viewWebSocketsDashboard') ? $next($request) : abort(403);
+        return Gate::check('viewWebSocketsDashboard', [$request->user()]) ? $next($request) : abort(403);
     }
 }
diff --git a/src/WebSocketsServiceProvider.php b/src/WebSocketsServiceProvider.php
@@ -64,7 +64,7 @@ public function register()
     protected function registerRoutes()
     {
         Route::prefix(config('websockets.path'))->group(function () {
-            Route::middleware(AuthorizeDashboard::class)->group(function () {
+            Route::middleware(config('websockets.middleware', [AuthorizeDashboard::class]))->group(function () {
                 Route::get('/', ShowDashboard::class);
                 Route::get('/api/{appId}/statistics', [DashboardApiController::class,  'getStatistics']);
                 Route::post('auth', AuthenticateDashboard::class);