Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Improve streaming server security (#10818)

Browse source 
* Check OAuth token scopes in the streaming API

* Use Sec-WebSocket-Protocol instead of query string to pass WebSocket token

Inspired by https://github.com/kubevirt/kubevirt/issues/1242
This commit is contained in:
ThibG 2019-05-24 15:21:42 +02:00 committed by Eugen Rochko
parent 84dc21d55d
commit d63c3c0cef
2 changed files with 44 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

6
app/javascript/mastodon/stream.js
View file

@ -71,11 +71,7 @@ export function connectStream(path, pollingRefresh = null, callbacks = () => ({
export default function getStream(streamingAPIBaseURL, accessToken, stream, { connected, received, disconnected, reconnected }) {
const params = [ `stream=${stream}` ];
if (accessToken !== null) {
params.push(`access_token=${accessToken}`);
}
const ws = new WebSocketClient(`${streamingAPIBaseURL}/api/v1/streaming/?${params.join('&')}`);
const ws = new WebSocketClient(`${streamingAPIBaseURL}/api/v1/streaming/?${params.join('&')}`, accessToken);
ws.onopen = connected;
ws.onmessage = e => received(JSON.parse(e.data));