Verify Subscription has same UserAddress that it was created with

ServiceStack · Mar 24, 2015 · 833e4c2 · 833e4c2
1 parent fbcfc0f
commit 833e4c2
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 1 deletion.
diff --git a/src/ServiceStack/HttpError.cs b/src/ServiceStack/HttpError.cs
@@ -119,6 +119,11 @@ public static Exception Conflict(string message)
             return new HttpError(HttpStatusCode.Conflict, message);
         }
 
+        public static Exception Forbidden(string message)
+        {
+            return new HttpError(HttpStatusCode.Forbidden, message);
+        }
+
         public ResponseStatus ToResponseStatus()
         {
             return Response.GetResponseStatus()

diff --git a/src/ServiceStack/LocalizedStrings.cs b/src/ServiceStack/LocalizedStrings.cs
@@ -35,6 +35,7 @@ public static class ErrorMessages
 
         //Server Events
         public static string SubscriptionNotExistsFmt = "Subscription '{0}' does not exist";
+        public static string SubscriptionForbiddenFmt = "Access to Subscription '{0}' is forbidden";
 
         //Validation
         public static string RequestAlreadyProcessedFmt = "Request '{0}' has already been processed";

diff --git a/src/ServiceStack/ServerEventsFeature.cs b/src/ServiceStack/ServerEventsFeature.cs
@@ -32,6 +32,7 @@ public class ServerEventsFeature : IPlugin
         public Action<IResponse, string> OnPublish { get; set; }
         public bool NotifyChannelOfSubscriptions { get; set; }
         public bool LimitToAuthenticatedUsers { get; set; }
+        public bool ValidateUserAddress { get; set; }
 
         public ServerEventsFeature()
         {
@@ -44,6 +45,7 @@ public ServerEventsFeature()
             HeartbeatInterval = TimeSpan.FromSeconds(10);
 
             NotifyChannelOfSubscriptions = true;
+            ValidateUserAddress = true;
         }
 
         public void Register(IAppHost appHost)
@@ -77,6 +79,20 @@ public void Register(IAppHost appHost)
                 appHost.RegisterService(typeof(ServerEventsSubscribersService), SubscribersPath);
             }
         }
+
+        public bool CanAccessSubscription(IRequest req, string subscriptionId)
+        {
+            if (!ValidateUserAddress)
+                return true;
+
+            var sub = req.TryResolve<IServerEvents>().GetSubscriptionInfo(subscriptionId);
+            return sub.UserAddress == req.UserHostAddress;
+        }
+
+        public bool CanAccessSubscription(IRequest req, SubscriptionInfo sub)
+        {
+            return !ValidateUserAddress || sub.UserAddress == req.UserHostAddress;
+        }
     }
 
     public class ServerEventsHandler : HttpAsyncTaskHandler
@@ -204,12 +220,25 @@ public override Task ProcessRequestAsync(IRequest req, IResponse res, string ope
 
             res.ApplyGlobalResponseHeaders();
 
+            var serverEvents = req.TryResolve<IServerEvents>();
+
             var feature = HostContext.GetPlugin<ServerEventsFeature>();
             if (feature.OnHeartbeatInit != null)
                 feature.OnHeartbeatInit(req);
 
+            if (req.Response.IsClosed)
+                return EmptyTask;
+
             var subscriptionId = req.QueryString["id"];
-            if (!req.TryResolve<IServerEvents>().Pulse(subscriptionId))
+            if (!feature.CanAccessSubscription(req, subscriptionId))
+            {
+                res.StatusCode = 403;
+                res.StatusDescription = "Invalid User Address";
+                res.EndHttpHandlerRequest(skipHeaders: true);
+                return EmptyTask;
+            }
+
+            if (!serverEvents.Pulse(subscriptionId))
             {
                 res.StatusCode = 404;
                 res.StatusDescription = "Subscription {0} does not exist".Fmt(subscriptionId);
@@ -258,9 +287,14 @@ public class ServerEventsUnRegisterService : Service
         public object Any(UnRegisterEventSubscriber request)
         {
             var subscription = ServerEvents.GetSubscriptionInfo(request.Id);
+
             if (subscription == null)
                 throw HttpError.NotFound(ErrorMessages.SubscriptionNotExistsFmt.Fmt(request.Id));
 
+            var feature = HostContext.GetPlugin<ServerEventsFeature>();
+            if (!feature.CanAccessSubscription(base.Request, subscription))
+                throw HttpError.Forbidden(ErrorMessages.SubscriptionForbiddenFmt.Fmt(request.Id));
+
             ServerEvents.UnRegister(subscription.SubscriptionId);
 
             return subscription.Meta;