Skip to content
This repository was archived by the owner on Feb 7, 2024. It is now read-only.

Fix Invalid Signature issue and enable event creator to be sent from any app #39

Merged
merged 13 commits into from
Dec 17, 2018
Merged
14 changes: 14 additions & 0 deletions config/websockets.php
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
<?php

use BeyondCode\LaravelWebSockets\Dashboard\Http\Middleware\Authorize;

return [

/*
Expand Down Expand Up @@ -47,6 +49,18 @@
*/
'path' => 'laravel-websockets',

/*
* Dashboard Routes Middleware
*
* These middleware will be assigned to every dashboard route, giving you
* the chance to add your own middleware to this list or change any of
* the existing middleware. Or, you can simply stick with this list.
*/
'middleware' => [
'web',
Authorize::class,
],

'statistics' => [
/*
* This model will be used to store the statistics of the WebSocketsServer.
Expand Down
3 changes: 2 additions & 1 deletion resources/views/dashboard.blade.php
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,8 @@
authEndpoint: '/{{ request()->path() }}/auth',
auth: {
headers: {
'X-CSRF-Token': "{{ csrf_token() }}"
'X-CSRF-Token': "{{ csrf_token() }}",
'X-App-ID': this.app.id
}
},
enabledTransports: ['ws', 'flash']
Expand Down
20 changes: 18 additions & 2 deletions src/Dashboard/Http/Controllers/AuthenticateDashboard.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,29 @@

namespace BeyondCode\LaravelWebSockets\Dashboard\Http\Controllers;

use Pusher\Pusher;
use Illuminate\Http\Request;
use Illuminate\Contracts\Broadcasting\Broadcaster;
use BeyondCode\LaravelWebSockets\Apps\App;
use Illuminate\Broadcasting\Broadcasters\PusherBroadcaster;

class AuthenticateDashboard
{
public function __invoke(Request $request, Broadcaster $broadcaster)
public function __invoke(Request $request)
{
/**
* Find the app by using the header
* and then reconstruct the PusherBroadcaster
* using our own app selection.
*/
$app = App::findById($request->header('x-app-id'));

$broadcaster = new PusherBroadcaster(new Pusher(
$app->key,
$app->secret,
$app->id,
[]
));

/*
* Since the dashboard itself is already secured by the
* Authorize middleware, we can trust all channel
Expand Down
2 changes: 1 addition & 1 deletion src/Dashboard/Http/Middleware/Authorize.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@ class Authorize
{
public function handle($request, $next)
{
return Gate::check('viewWebSocketsDashboard') ? $next($request) : abort(403);
return Gate::check('viewWebSocketsDashboard', [$request->user()]) ? $next($request) : abort(403);
}
}
2 changes: 1 addition & 1 deletion src/WebSocketsServiceProvider.php
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ public function register()
protected function registerRoutes()
{
Route::prefix(config('websockets.path'))->group(function () {
Route::middleware(AuthorizeDashboard::class)->group(function () {
Route::middleware(config('websockets.middleware', [AuthorizeDashboard::class]))->group(function () {
Route::get('/', ShowDashboard::class);
Route::get('/api/{appId}/statistics', [DashboardApiController::class, 'getStatistics']);
Route::post('auth', AuthenticateDashboard::class);
Expand Down