add disallow_anonymous_connection_tokens option, relates #591

CHANGELOG.md

@@ -4,6 +4,7 @@ v4.1.1
 ### Improvements
 
 * Possibility to disable client protocol v1 using `disable_client_protocol_v1` boolean option. To remind you about client protocol v1 vs v2 migration in Centrifugo v4 take a look at [v3 to v4 migration guide](https://centrifugal.dev/docs/getting-started/migration_v4#client-sdk-migration). Centrifugo v4 uses client protocol v2 by default, all our recent SDKs only support client protocol v2. So if you are using modern stack then you can disable clients to use outdated protocol v1 right now. In Centrifugo v5 support for client protocol v1 will be completely removed, see [Centrifugo v5 roadmap](https://github.com/centrifugal/centrifugo/issues/599).
+* New boolean option `disallow_anonymous_connection_tokens`. When the option is set Centrifugo won't accept connections from anonymous users even if they provided a valid JWT. See [#591](https://github.com/centrifugal/centrifugo/issues/591)
 * More human-readable tracing logging output (especially in Protobuf protocol case). On the other hand, tracing log level is much more expensive now. We never assumed it will be used in production – so seems an acceptable trade-off.
 * Several internal optimizations in client protocol to reduce memory allocations.
 

internal/client/handler.go

@@ -336,6 +336,13 @@ func (h *Handler) OnClientConnecting(
 			return centrifuge.ConnectReply{}, err
 		}
 
+		if token.UserID == "" && ruleConfig.DisallowAnonymousConnectionTokens {
+			if h.node.LogEnabled(centrifuge.LogLevelDebug) {
+				h.node.Log(centrifuge.NewLogEntry(centrifuge.LogLevelDebug, "anonymous connection tokens disallowed", map[string]interface{}{"client": e.ClientID}))
+			}
+			return centrifuge.ConnectReply{}, centrifuge.DisconnectPermissionDenied
+		}
+
 		credentials = &centrifuge.Credentials{
 			UserID:   token.UserID,
 			ExpireAt: token.ExpireAt,

internal/rule/rule.go

@@ -59,6 +59,12 @@ type Config struct {
 	// a connection token or setting Credentials in authentication middleware. The resulting
 	// user will have empty string for user ID (i.e. user is treated as anonymous).
 	AnonymousConnectWithoutToken bool
+
+	// DisallowAnonymousConnectionTokens tells Centrifugo to not accept connections from
+	// anonymous users even if they provided a valid JWT. I.e. if token is valid but `sub`
+	// claim is empty then Centrifugo closes connection with advice to not reconnect again.
+	DisallowAnonymousConnectionTokens bool
+
 	// ClientConcurrency when set allows processing client commands concurrently
 	// with provided concurrency level. By default, commands processed sequentially
 	// one after another.

main.go

@@ -126,15 +126,17 @@ func bindCentrifugoConfig() {
 		"node_info_metrics_aggregate_interval": 60 * time.Second,
 
 		"allow_anonymous_connect_without_token": false,
-		"client_expired_close_delay":            25 * time.Second,
-		"client_expired_sub_close_delay":        25 * time.Second,
-		"client_stale_close_delay":              25 * time.Second,
-		"client_channel_limit":                  128,
-		"client_queue_max_size":                 1048576, // 1 MB
-		"client_presence_update_interval":       27 * time.Second,
-		"client_user_connection_limit":          0,
-		"client_concurrency":                    0,
-		"client_channel_position_check_delay":   40 * time.Second,
+		"disallow_anonymous_connection_tokens":  false,
+
+		"client_expired_close_delay":          25 * time.Second,
+		"client_expired_sub_close_delay":      25 * time.Second,
+		"client_stale_close_delay":            25 * time.Second,
+		"client_channel_limit":                128,
+		"client_queue_max_size":               1048576, // 1 MB
+		"client_presence_update_interval":     27 * time.Second,
+		"client_user_connection_limit":        0,
+		"client_concurrency":                  0,
+		"client_channel_position_check_delay": 40 * time.Second,
 
 		"channel_max_length":         255,
 		"channel_private_prefix":     "$",
@@ -1402,6 +1404,7 @@ func ruleConfig() rule.Config {
 	cfg.UserPersonalChannelNamespace = v.GetString("user_personal_channel_namespace")
 	cfg.ClientInsecure = v.GetBool("client_insecure")
 	cfg.AnonymousConnectWithoutToken = v.GetBool("allow_anonymous_connect_without_token")
+	cfg.DisallowAnonymousConnectionTokens = v.GetBool("disallow_anonymous_connection_tokens")
 	cfg.ClientConcurrency = v.GetInt("client_concurrency")
 	cfg.RpcNamespaceBoundary = v.GetString("rpc_namespace_boundary")
 	cfg.RpcProxyName = v.GetString("rpc_proxy_name")

misc/release/notes.md

@@ -11,6 +11,7 @@ For details, go to the [Centrifugo documentation site](https://centrifugal.dev).
 ### Improvements
 
 * Possibility to disable client protocol v1 using `disable_client_protocol_v1` boolean option. To remind you about client protocol v1 vs v2 migration in Centrifugo v4 take a look at [v3 to v4 migration guide](https://centrifugal.dev/docs/getting-started/migration_v4#client-sdk-migration). Centrifugo v4 uses client protocol v2 by default, all our recent SDKs only support client protocol v2. So if you are using modern stack then you can disable clients to use outdated protocol v1 right now. In Centrifugo v5 support for client protocol v1 will be completely removed, see [Centrifugo v5 roadmap](https://github.com/centrifugal/centrifugo/issues/599).
+* New boolean option `disallow_anonymous_connection_tokens`. When the option is set Centrifugo won't accept connections from anonymous users even if they provided a valid JWT. See [#591](https://github.com/centrifugal/centrifugo/issues/591)
 * More human-readable tracing logging output (especially in Protobuf protocol case). On the other hand, tracing log level is much more expensive now. We never assumed it will be used in production – so seems an acceptable trade-off.
 * Several internal optimizations in client protocol to reduce memory allocations.