Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Close the socket when authentication verification fails #262

Merged
merged 6 commits into from
Nov 22, 2018
Merged

Close the socket when authentication verification fails #262

merged 6 commits into from
Nov 22, 2018

Conversation

dominykas
Copy link
Contributor

Closes #260.

@dominykas dominykas added the feature New functionality or improvement label Nov 22, 2018
@dominykas dominykas mentioned this pull request Nov 22, 2018
Closed
dominykas
dominykas commented Nov 22, 2018
View reviewed changes
lib/index.js
@@ -65,7 +66,8 @@ internals.schema = Joi.object({
]),
index: Joi.boolean(),
timeout: Joi.number().integer().min(1).allow(false),
maxConnectionsPerUser: Joi.number().integer().min(1).allow(false).when('index', { is: true, otherwise: Joi.valid(false) })
maxConnectionsPerUser: Joi.number().integer().min(1).allow(false).when('index', { is: true, otherwise: Joi.valid(false) }),
verify: Joi.number().integer()
Copy link
Contributor Author

@dominykas dominykas Nov 22, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hueniverse you mentioned you'd like to see a min here? Aside from Joi trickery to achieve that (ref a key from another object) - is there really a need for that?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The point of making sure this is not less than the heartbeat rate is to set expectations. If you want to verify the connection faster than the heartbeat check, it will still only happen as fast as messages are passing through or the heartbeat check.

Also, verify is not very descriptive. I prefer minAuthVerifyIntervalMsec.

dominykas
dominykas commented Nov 22, 2018
View reviewed changes
lib/socket.js
return true;
}

if (Date.now() - this.auth._verified < this._listener._settings.auth.verify) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not adding a way to disable this completely - should I? By e.g. setting verify: false?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds reasonable. false works for me.

dominykas
dominykas commented Nov 22, 2018
View reviewed changes
lib/socket.js
@@ -263,6 +264,11 @@ internals.Socket.prototype._lifecycle = function (request) {
throw Boom.badRequest('Message missing id');
}

if (!this._verifyAuth()) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only added this for received messages, because of the heartbeat. If the server receives no heartbeat - it will disconnect anyways. There is a chance of someone configuring a very long heartbeat timeout and keeping on pushing messages, but is that an issue?

@hueniverse hueniverse merged commit 2dc88aa into hapijs:master Nov 22, 2018
@hueniverse hueniverse self-assigned this Nov 22, 2018
@hueniverse hueniverse added this to the 9.0.3 milestone Nov 22, 2018
hueniverse added a commit that referenced this pull request Nov 23, 2018
@hueniverse
Cleanup for #262
102f51f
@dominykas dominykas deleted the auth-verify branch November 23, 2018 12:50
@lock
Copy link

lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@hueniverse hueniverse hueniverse left review comments

Assignees

@hueniverse hueniverse

Labels
feature New functionality or improvement
Projects
None yet
Milestone
9.1.0
Development

Successfully merging this pull request may close these issues.

Close the socket when authentication expires
2 participants
@dominykas @hueniverse