validate recording auth (#235)

2025-12-19 05:47:46 +00:00 · 2023-09-24 15:19:13 +03:00
parent 209a58ff51
commit b190334839
2 changed files with 19 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -33,6 +33,8 @@ Configuration is provided via environment variables:
 |K8S| service running as kubernetes service |no|
 |K8S_FEATURE_SERVER_SERVICE_NAME| feature server name(required for K8S) |no|
 |K8S_FEATURE_SERVER_SERVICE_PORT| feature server port(required for K8S) |no|
+|JAMBONZ_RECORD_WS_USERNAME| recording websocket username|no|
+|JAMBONZ_RECORD_WS_PASSWORD| recording websocket password|no|

 #### Database dependency
 A mysql database is used to store long-lived objects such as Accounts, Applications, etc. To create the database schema, use or review the scripts in the 'db' folder, particularly:
--- a/app.js
+++ b/app.js
@@ -175,11 +175,22 @@ const server = app.listen(PORT);


 const isValidWsKey = (hdr) => {
-  const username = process.env.JAMBONZ_RECORD_WS_USERNAME;
-  const password = process.env.JAMBONZ_RECORD_WS_PASSWORD;
-  const token = Buffer.from(`${username}:${password}`).toString('base64');
-  const arr = /^Basic (.*)$/.exec(hdr);
-  return arr[1] === token;
+  const username = process.env.JAMBONZ_RECORD_WS_USERNAME || process.env.JAMBONES_RECORD_WS_USERNAME;
+  const password = process.env.JAMBONZ_RECORD_WS_PASSWORD || process.env.JAMBONES_RECORD_WS_PASSWORD;
+  if (username && password) {
+    if (!hdr) {
+      // auth header is missing
+      return false;
+    }
+    const token = Buffer.from(`${username}:${password}`).toString('base64');
+    const arr = /^Basic (.*)$/.exec(hdr);
+    if (!Array.isArray(arr)) {
+      // malformed auth header
+      return false;
+    }
+    return arr[1] === token;
+  }
+  return true;
 };

 server.on('upgrade', (request, socket, head) => {
@@ -196,7 +207,7 @@ server.on('upgrade', (request, socket, head) => {

  /* verify the api key */
  if (!isValidWsKey(request.headers['authorization'])) {
-    logger.info(`invalid auth header: ${request.headers['authorization']}`);
+    logger.info(`invalid auth header: ${request.headers['authorization'] || 'authorization header missing'}`);
    return socket.write('HTTP/1.1 403 Forbidden \r\n\r\n', () => socket.destroy());
  }