Skip to content
This repository was archived by the owner on Feb 7, 2024. It is now read-only.

Multi-tenancy Invalid signature on Private channels #184

Closed
SolStis86 opened this issue May 29, 2019 · 9 comments
Closed

Multi-tenancy Invalid signature on Private channels #184

SolStis86 opened this issue May 29, 2019 · 9 comments

Comments

@SolStis86
Copy link

When receiving and authentication payload from a private or presence channel, the payload should be in the format key:signature. However, whats actually returned from the auth endpoint is something like this:

{"auth":":ce25a333287f30d67b36e486f6e60b59b0a0e55a7df62d209ad67766ef170ab5"}

Note that only the signature is present, not the key.

From what i can see the auth string is generated in Pusher\Pusher@socket_auth (Ln:735) however it seems that the auth_key isnt being set ready for the response.

Im using a custom AppProvider that retrieves the config on a per tenant basis and the overrides the config for the pusher connection through middleware on every request.

My app provider is as follows:

namespace App\Websockets;


use BeyondCode\LaravelWebSockets\Apps\App;
use BeyondCode\LaravelWebSockets\Apps\AppProvider as AppProviderInterface;
use App\Models\System\Website;
use Illuminate\Support\Facades\Cache;

class AppProvider implements AppProviderInterface
{
    public function all(): array
    {
        return Website::all()
            ->map(function (Website $website) {
                return $this->transformWebsiteToApp($website);
            })
            ->toArray();
    }

    public function findById($appId): ?App
    {
        $website = Website::find($appId);

        if (! $website) {
            return null;
        }

        return $this->transformWebsiteToApp($website);
    }

    public function findByKey(string $appKey): ?App
    {
        $website = Website::where('key', $appKey)->first();

        if (! $website) {
            return null;
        }

        return $this->transformWebsiteToApp($website);
    }

    public function findBySecret(string $appSecret): ?App
    {
        $website = Website::where('secret', $appSecret)->first();

        if (! $website) {
            return null;
        }

        return $this->transformWebsiteToApp($website);
    }

    protected function transformWebsiteToApp(Website $website)
    {
        return (new App($website->id, $website->key, $website->secret))
            ->setName($website->uuid)
            ->enableClientMessages(true)
            ->enableStatistics(false);
    }
}

And the middleware:

namespace App\Http\Middleware;

use Closure;
use Hyn\Tenancy\Environment;

class SetupTenantConfig
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if ($website = app(Environment::class)->tenant()) {
            config([
                'broadcasting.connections.pusher' => [
                    'driver' => 'pusher',
                    'key' => $website->key,
                    'secret' => $website->secret,
                    'app_id' => $website->id,
                    'options' => [
//                        'cluster' => env('PUSHER_APP_CLUSTER'),
                        'encrypted' => true,
                        'host' => '127.0.0.1',
                        'port' => 6001,
                        'scheme' => 'http',
                        'auth_key' => $website->key,
                    ],
                ],
            ]);
        }

        return $next($request);
    }
}

Anyone else ran in to this issue and solved it? Thanks
@SolStis86
Copy link
Author

Ive manually overridden the response from the auth route with:

Route::post('broadcasting/auth', function () {
    $response = Broadcast::auth(request());
    $key = app(\Hyn\Tenancy\Environment::class)->tenant()->key;
    $response['auth'] = $key.$response['auth'];
    return $response;
})

And still receiving the InvalidSignatureException so the key not being set wasn't the issue. Im still at a loss as to why the signature is invalid. Any help would be greatly appreciated. Thanks

@SolStis86
Copy link
Author

Ok so it looks to be that the pusher instance used for generating the auth response has an empty config. Where about is this pusher instance set? This may be due to the config being set in the middleware being done later down the stack from where this instance is set.

@SolStis86
Copy link
Author

SolStis86 commented May 29, 2019
edited
Loading

Solved!

  1. Rip out the native Laravel BroadcastingServiceProvider
  2. Replace with a custom one that isn't deferred
  3. Replace as follows:
namespace App\Providers;


use Hyn\Tenancy\Environment;
use Illuminate\Broadcasting\BroadcastManager;
use Illuminate\Support\ServiceProvider;
use Illuminate\Contracts\Broadcasting\Factory as BroadcastingFactory;
use Illuminate\Contracts\Broadcasting\Broadcaster as BroadcasterContract;

class BroadcastServiceProvider extends ServiceProvider
{
    /**
     * Register the service provider.
     *
     * @return void
     */
    public function boot()
    {
        if ($website = app(Environment::class)->tenant()) {
            config([
                'broadcasting.connections.pusher' => [
                    'driver' => 'pusher',
                    'key' => $website->key,
                    'secret' => $website->secret,
                    'app_id' => $website->id,
                    'options' => [
                        'encrypted' => true,
                        'host' => '127.0.0.1',
                        'port' => 6001,
                        'scheme' => 'http',
                        'auth_key' => $website->key,
                    ],
                ],
            ]);
        }

        $this->app->singleton(BroadcastManager::class, function ($app) {
            return new BroadcastManager($app);
        });

        $this->app->singleton(BroadcasterContract::class, function ($app) {
            return $app->make(BroadcastManager::class)->connection();
        });

        $this->app->alias(
            BroadcastManager::class, BroadcastingFactory::class
        );
    }
}

Basically resolves the host name and applies the config accordingly before the Pusher instance is created in container.

Very much did a rubber duck on this one...

@SolStis86
Copy link
Author

#34

@adam-baliatico
Copy link

@SolStis86 did you have any luck getting this to work with queued notifications? It appears the queue worker is not getting the proper pusher settings applied.

@scramatte
Copy link

scramatte commented Apr 27, 2021
edited
Loading

Hello,

I've tried this with https://tenancyforlaravel.com/ lib. But I'm unable to get it working.
Without BroadcastServiceProvider , broadcasting/auth route returns me OK 200 but invalid signature.

If I overwrite BroadcastServiceProvider , I got 403 on broadcasting/auth call.

Any idea?

Regards

@scramatte
Copy link

I've been able to get it working...
The problem is the logic is little bite different with tenancyforlaravel ...
You have tenancy bootstrappers

Instead overwrite BroadcastServiceProvider, I've mad a bootstrapper that achieve the same goal.
What occurs is after register back the broadcast provider, you delete channels too. Basically you need to recreate channels , importing back routes/channels.php ...

Hope that helps somebody

class WebSocketsBootstrapper implements TenancyBootstrapper
{
    public function bootstrap(Tenant $tenant)
    {
        config([
            'broadcasting.connections.pusher' => [
                    'driver' => 'pusher',
                    'key' => $tenant->pusher_key,
                    'secret' => $tenant->pusher_secret,
                    'app_id' => $tenant->id,
                    'options' => [
                        'encrypted' => true,
                        'host' => '127.0.0.1',
                        'port' => 6001,
                        'scheme' => 'http',
                    ],
                ],
        ]);

        app()->singleton(BroadcastManager::class, function ($app) {
            return new BroadcastManager($app);
        });

        app()->singleton(BroadcasterContract::class, function ($app) {
            return $app->make(BroadcastManager::class)->connection();
        });

        app()->alias(
            BroadcastManager::class,
            BroadcastingFactory::class
        );

        require base_path('routes/tenant/channels.php');
...

@a-ssassi-n
Copy link

@scramatte I tried your code but still when I try to connect to a private channel the /broadcasting/auth connects to the central database instead of connecting to the tenant database to find the auth user.

I created the WebSocketsBootstrapper bootstrapper and registered it in config\tenancy.php bootstrappers like so: App\WebSocketsBootstrapper::class,

Is there anything that I am missing here?

@mgouguasse
Copy link

mgouguasse commented Dec 30, 2022
edited
Loading

@scramatte please can you explain more your code and the files that you changed or import

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@scramatte @a-ssassi-n @SolStis86 @adam-baliatico @mgouguasse