Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: close websocket with reason on invalid token #9744

Merged
merged 1 commit into from
May 9, 2024

Conversation

mattkrick
Copy link
Member

@mattkrick mattkrick commented May 8, 2024

Description

fix #8370

The server wasn't closing websockets with a reason when the session was invalidated.
This is important because if a reason is included, the client nukes the authToken.
Either I missed an API change in uws.js, or it hasn't been working for awhile.
This also rolls back to trebuchet-client 3.0.1 because once canConnect is true, it should not turn to false when it encounters an error. It should just try again.

The downside to this pattern is that the server has to upgrade the HTTP1.1 request to a websocket before it can close the websocket. This means the server tells the client that the websocket is open (fires WebSocket.onopen), the client sends pending messages (e.g. subscription requests) and then the server immediately closes it. It's extra work on the client & server, but sending a 401 during a websocket upgrade does not make it to the client. Per the spec: https://websockets.spec.whatwg.org/#eventdef-websocket-error

User agents must not convey any failure information to scripts in a way that would allow a script to distinguish the following situations:

A server whose host name could not be resolved.

A server to which packets could not successfully be routed.

A server that refused the connection on the specified port.

A server that failed to correctly perform a TLS handshake (e.g., the server certificate can’t be verified).

A server that did not complete the opening handshake (e.g. because it was not a WebSocket server).

A WebSocket server that sent a correct opening handshake, but that specified options that caused the client to drop the connection (e.g. the server specified a subprotocol that the client did not offer).

A WebSocket server that abruptly closed the connection after successfully completing the opening handshake.

In all of these cases, [the WebSocket connection close code](https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.5) would be 1006, as required by WebSocket Protocol. [[WSP]](https://websockets.spec.whatwg.org/#biblio-wsp)

Allowing a script to distinguish these cases would allow a script to probe the user’s local network in preparation for an attack.

TEST

  • be logged in, change the SERVER_SECRET and restart the server. Upon reconnect, the client logs out automatically with a snack that says the session has expired.

Signed-off-by: Matt Krick <matt.krick@gmail.com>
Copy link
Contributor

@jordanh jordanh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! No comments

@mattkrick mattkrick merged commit a5d4bad into master May 9, 2024
8 checks passed
@mattkrick mattkrick deleted the fix/websocket-invalid-token branch May 9, 2024 19:50
Comment on lines -13 to -18
if (protocol !== 'trebuchet-ws') {
sendToSentry(new Error(`WebSocket error: invalid protocol: ${protocol}`))
// WS Error 1002 is roughly HTTP 412 Precondition Failed because we can't support the req header
res.writeStatus('412').end()
return
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-1 I think we need to distinguish 2 cases here: The client speaks our language but says the wrong thing (right protocol, wrong auth) and we don't understand it at all (wrong protocol). I think in the latter case, we should not move forward with the upgrade which should also fail the client permanently because it could never connect. Only when the protocol matches, we should upgrade and do the other checks. In that case the client can talk websocket with the server, so there is no need to try other connection methods.

return
}
res.upgrade({ip, authToken}, key, protocol, extensions, context)
const authToken = getQueryToken(req)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-2 we throw here now and the client tries reconnecting endlessly

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whoa! could you provide some steps to reproduce? This function has a try/catch inside it so it shouldn't throw, it should just return a {}, which would then be used to send the ws.close signal, but I may have missed something!

@github-actions github-actions bot mentioned this pull request May 21, 2024
24 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

RelayNetwork: No data returned for operation TeamContainerQuery, got error(s):
3 participants