From b089a204d3b80525406a5bb5f872bc7dda86e1ff Mon Sep 17 00:00:00 2001
From: Torsten Grote <t@grobox.de>
Date: Wed, 19 Sep 2018 14:12:13 -0300
Subject: [PATCH] Add support for websocket authentication via basic auth

The token should be used as username and the password left empty
---
 .../org/briarproject/briar/headless/Router.kt | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt b/briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt
index b27286cd2..c6ab3ff8d 100644
--- a/briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt
+++ b/briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt
@@ -4,10 +4,13 @@ import io.javalin.Javalin
 import io.javalin.JavalinEvent.SERVER_START_FAILED
 import io.javalin.JavalinEvent.SERVER_STOPPED
 import io.javalin.apibuilder.ApiBuilder.*
+import io.javalin.core.util.ContextUtil
+import io.javalin.core.util.Header
 import org.briarproject.briar.headless.blogs.BlogController
 import org.briarproject.briar.headless.forums.ForumController
 import org.briarproject.briar.headless.messaging.MessagingController
 import java.lang.Runtime.getRuntime
+import java.util.logging.Logger
 import javax.annotation.concurrent.Immutable
 import javax.inject.Inject
 import javax.inject.Singleton
@@ -25,6 +28,8 @@ constructor(
     private val blogController: BlogController
 ) {
 
+    private val logger: Logger = Logger.getLogger(this.javaClass.name)
+
     fun start(authToken: String, port: Int, debug: Boolean) {
         briarService.start()
         getRuntime().addShutdownHook(Thread(Runnable { briarService.stop() }))
@@ -68,8 +73,21 @@ constructor(
             }
         }
         app.ws("/v1/ws") { ws ->
-            ws.onConnect { session -> webSocketController.sessions.add(session) }
-            ws.onClose { session, _, _ -> webSocketController.sessions.remove(session) }
+            ws.onConnect { session ->
+                val authHeader = session.header(Header.AUTHORIZATION)
+                val token = ContextUtil.getBasicAuthCredentials(authHeader)?.username
+                if (authToken == token) {
+                    logger.info("Adding websocket session with ${session.remoteAddress}")
+                    webSocketController.sessions.add(session)
+                } else {
+                    logger.info("Closing websocket connection with ${session.remoteAddress}")
+                    session.close(1008, "Invalid Authentication Token")
+                }
+            }
+            ws.onClose { session, _, _ ->
+                logger.info("Removing websocket connection with ${session.remoteAddress}")
+                webSocketController.sessions.remove(session)
+            }
         }
     }