Merge pull request #278 from alfianwahid/master

Passing remoteAddress and x-forwarded-for is in whitelist when connect
hapijs · Apr 25, 2019 · 9f9f0c0 · 9f9f0c0
2 parents 6b9d4ec + 7516b5c
commit 9f9f0c0
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 3 deletions.
diff --git a/lib/socket.js b/lib/socket.js
@@ -40,7 +40,8 @@ exports = module.exports = internals.Socket = function (ws, req, listener) {
 
     this.info = {
         remoteAddress: req.socket.remoteAddress,
-        remotePort: req.socket.remotePort
+        remotePort: req.socket.remotePort,
+        'x-forwarded-for': req.headers['x-forwarded-for']
     };
 
     if (this._listener._settings.auth &&
@@ -528,7 +529,8 @@ internals.Socket.prototype._authenticate = async function (request) {
         const config = this._listener._settings.auth;
         if (config.type === 'direct') {
             const route = this.server.lookup(config.id);
-            const res = await this.server.inject({ url: route.path, method: 'auth', headers: request.auth.headers, allowInternals: true, validate: false });
+            request.auth.headers['x-forwarded-for'] = this.info['x-forwarded-for'];
+            const res = await this.server.inject({ url: route.path, method: 'auth', headers: request.auth.headers, remoteAddress: this.info.remoteAddress, allowInternals: true, validate: false });
             if (res.statusCode !== 200) {
                 throw Boom.unauthorized(res.result.message);
             }

diff --git a/test/auth.js b/test/auth.js
@@ -717,6 +717,25 @@ describe('authentication', () => {
             await server.stop();
         });
 
+        it('fails authentication entity (app) with specifiec remoteAddress', async () => {
+
+            const server = Hapi.server();
+
+            server.auth.scheme('custom', internals.implementation);
+            server.auth.strategy('default', 'custom');
+            server.auth.default('default');
+
+            await server.register({ plugin: Nes, options: { auth: { type: 'direct', password, index: true } } });
+
+            server.subscription('/', { auth: { entity: 'app' } });
+
+            await server.start();
+            const client = new Nes.Client('http://localhost:' + server.info.port);
+            await expect(client.connect({ auth: { headers: { authorization: 'Custom app remoteAddress' } } })).to.reject('remoteAddress is not in whitelist');
+            client.disconnect();
+            await server.stop();
+        });
+
         it('subscribes to a path', async () => {
 
             const server = Hapi.server();
@@ -1463,7 +1482,8 @@ internals.implementation = function (server, options) {
             scope: ['a', 'b', '5']
         },
         app: {
-            app: 'app'
+            app: 'app',
+            remoteAddress: '192.168.0.1'
         }
     };
 
@@ -1487,6 +1507,10 @@ internals.implementation = function (server, options) {
                 throw Boom.unauthorized('Unknown user', 'Custom');
             }
 
+            if (user.app && parts[2] === 'remoteAddress' && user.remoteAddress !== request.info.remoteAddress){
+                throw Boom.unauthorized('remoteAddress is not in whitelist');
+            }
+
             return h.authenticated({ credentials: user, artifacts: { userArtifact: artifactsByUser[username], expires: Date.now() + internals.authExpiry } });
         },