OriginCheck support?

[gentunian]

Hi, I'm reading about this project in order to use the bundle in one of my own. It turns out that after I launch the server I open up developer console from my browser and:

var conn = new WebSocket('ws://localhost:8080');
conn.onopen = function(e) {
    console.log("Connection established!");
};

after that I'm connected to the web server. Will you plan to add Ratchet's OriginCheck features as a config parameter in config.yml file? Or some sort of security that relies in who can get a connection to the server?

[bcldvd]

OriginCheck is not sufficient enough in terms of security with Websockets. Indeed, it can be spoofed by rich clients and cannot be based upon when authorizing connexion.

Take a look at Session Sharing. Basically, you set a cookie on connection, and it is sent with the websocket. In the onClientConnect Listener, get the token from the received cookie and you'll be able to get it's your user's username, roles etc...

[amcastror]

hi @bcldvd

I was trying to do something similar: how do I get the user in the onSubscribe method of a topic? Can I use the ConnectionInterface object passed as the first parameter?

Thanks a lot.

[bcldvd]

Hey @amcastror , Haven't used it since this comment. A bit rusty :p Check this commit : https://github.com/bcldvd/symfony2-websocket-chat/commit/c6d759fee87360853119e0c6d9010f46870a0e5c It may give you some insight :)

[amcastror]

Thanks for the fast reply @bcldvd ! I'll take a look.

[amcastror]

I got it working! It wasn't easy but everything I needed was in that commit. Thanks a lot again!

[bcldvd]

You're welcome :)