Merge pull request zhaojh329#34 from zsichen/dev

Check session id before accepting request

client.go

@@ -1,12 +1,13 @@
 package main
 
 import (
-	"github.com/gorilla/websocket"
-	log "github.com/sirupsen/logrus"
 	"net/http"
 	"strconv"
 	"sync"
 	"time"
+
+	"github.com/gorilla/websocket"
+	log "github.com/sirupsen/logrus"
 )
 
 var upgrader = websocket.Upgrader{
@@ -73,6 +74,10 @@ func serveWs(br *Broker, w http.ResponseWriter, r *http.Request, cfg *RttysConfi
 			http.Error(w, "Forbidden", http.StatusForbidden)
 			return
 		}
+	} else if _, ok := httpSessions.Get(r.URL.Query().Get("sid")); !ok {
+		log.Error("Invalid sid from client")
+		http.Error(w, "Forbidden", http.StatusForbidden)
+		return
 	}
 
 	keepalive, _ := strconv.Atoi(r.URL.Query().Get("keepalive"))

command.go

@@ -2,14 +2,15 @@ package main
 
 import (
 	"fmt"
-	jsoniter "github.com/json-iterator/go"
-	log "github.com/sirupsen/logrus"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"sync"
 	"time"
 
+	jsoniter "github.com/json-iterator/go"
+	log "github.com/sirupsen/logrus"
+
 	"github.com/gorilla/websocket"
 )
 
@@ -38,8 +39,11 @@ type commandStatus struct {
 }
 
 type CommandInfo struct {
-	Devid string `json:"devid"`
-	Cmd   string `json:"cmd"`
+	Devid    string `json:"devid"`
+	Cmd      string `json:"cmd"`
+	Sid      string `json:"sid"`
+	Username string `json:"username"`
+	Password string `json:"password"`
 }
 
 var commands sync.Map
@@ -85,7 +89,7 @@ func serveCmd(br *Broker, w http.ResponseWriter, r *http.Request) {
 
 	cmdInfo := CommandInfo{}
 	err = jsoniter.Unmarshal(body, &cmdInfo)
-	if err != nil || cmdInfo.Cmd == "" || cmdInfo.Devid == "" {
+	if _, ok := httpSessions.Get(cmdInfo.Sid); err != nil || cmdInfo.Cmd == "" || cmdInfo.Devid == "" || ok == false {
 		cmdErrReply(RTTY_CMD_ERR_INVALID, w)
 		return
 	}

html/src/views/Home.vue

@@ -282,6 +282,7 @@ export default {
                             devid: item.id,
                             username: this.cmdData.username,
                             password: this.cmdData.password,
+                            sid: sessionStorage.getItem('rtty-sid'),
                             cmd: this.cmdData.cmd.trim(),
                             params: this.cmdData.params,
                             env: this.cmdData.env

html/src/views/Login.vue

@@ -43,7 +43,7 @@ export default {
                         password: this.form.password
                     };
                     this.$axios.post(process.env.BASE_URL + 'signin', params).then(res => {
-                        sessionStorage.setItem('rtty-sid', res);
+                        sessionStorage.setItem('rtty-sid', res.data);
                         this.$router.push('/');
                     }).catch(() => {
                         this.$Message.error(this.$t('Signin Fail! username or password wrong.'));

html/src/views/Rtty.vue

@@ -82,7 +82,7 @@ export default {
         this.username = this.$route.query.username;
         this.password = this.$route.query.password;
 
-        let ws = new WebSocket(protocol + location.host + process.env.BASE_URL + 'ws?devid=' + devid);
+        let ws = new WebSocket(protocol + location.host + process.env.BASE_URL + 'ws?devid=' + devid + '&sid=' + sessionStorage.getItem('rtty-sid'));
 
         ws.onopen = () => {
             ws.binaryType = 'arraybuffer';