- Fix access to undefined request user for unauthenticated requests

oklemenz2 · oklemenz2 · commit 3f24991a8975 · 2024-06-03T18:13:27.000+02:00
- Redis lookup via custom `vcap` environment configuration
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,11 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## Version 1.0.1 - 2024-06-xx
+## Version 1.0.1 - 2024-06-03
 
 ### Fixed
 
-- tbd
+- Fix access to undefined request user for unauthenticated requests
+- Redis lookup via custom `vcap` environment configuration
 
 ## Version 1.0.0 - 2024-05-03
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -54,7 +54,7 @@
     "@eslint/js": "9.4.0",
     "@sap/cds": "^7.9.2",
     "@sap/cds-dk": "^7.9.2",
-    "@sap/xssec": "4.0.0",
+    "@sap/xssec": "4.0.1",
     "@socket.io/redis-adapter": "^8.3.0",
     "@socket.io/redis-streams-adapter": "^0.2.2",
     "@types/express": "^4.17.21",
@@ -132,6 +132,21 @@
                       "type": "boolean",
                       "description": "Enable websocket adapter in local environment",
                       "default": false
+                    },
+                    "vcap": {
+                      "type": "object",
+                      "description": "VCAP service environment",
+                      "properties": {
+                        "label": {
+                          "type": "string",
+                          "description": "VCAP service label"
+                        },
+                        "tag": {
+                          "type": "string",
+                          "description": "VCAP service tag"
+                        }
+                      },
+                      "additionalProperties": true
                     }
                   }
                 }
@@ -145,7 +160,7 @@
         }
       }
     },
-    "weboscket": {
+    "websocket": {
       "kind": "ws"
     }
   }
diff --git a/src/index.js b/src/index.js
@@ -351,15 +351,15 @@ function deriveElements(event, data) {
 function deriveUser(event, data, headers, req) {
   if ((headers?.wsExcludeCurrentUser || headers?.excludeCurrentUser) !== undefined) {
     if (headers?.wsExcludeCurrentUser || headers?.excludeCurrentUser) {
-      return req.context.user.id;
+      return req.context.user?.id;
     }
     return;
   }
   let user =
     event["@websocket.user"] || event["@ws.user"] || event["@websocket.broadcast.user"] || event["@ws.broadcast.user"];
   switch (user) {
     case "excludeCurrent":
-      return req.context.user.id;
+      return req.context.user?.id;
   }
   if (event.elements) {
     for (const name in event.elements) {
@@ -371,7 +371,7 @@ function deriveUser(event, data, headers, req) {
         element["@ws.broadcast.user"];
       switch (user) {
         case "excludeCurrent":
-          return data[name] ? req.context.user.id : undefined;
+          return data[name] ? req.context.user?.id : undefined;
       }
     }
   }
diff --git a/src/redis/index.js b/src/redis/index.js
@@ -56,7 +56,7 @@ const createClientBase = (options = {}) => {
   }
   let credentials;
   try {
-    credentials = xsenv.serviceCredentials({ label: "redis-cache" });
+    credentials = xsenv.serviceCredentials({ label: "redis-cache", ...cds.env.websocket?.adapter?.vcap });
   } catch (err) {
     LOG?.info(err.message);
   }
diff --git a/src/socket/socket.io.js b/src/socket/socket.io.js
@@ -34,7 +34,7 @@ class SocketIOServer extends SocketServer {
       try {
         this.enforceAuth(socket);
         socket.tenant = socket.request.tenant;
-        socket.user = socket.request.user.id;
+        socket.user = socket.request.user?.id;
         socket.join(room({ tenant: socket.tenant }));
         socket.join(room({ tenant: socket.tenant, user: socket.user }));
         if (socket.request._query?.id) {
diff --git a/src/socket/ws.js b/src/socket/ws.js
@@ -66,7 +66,7 @@ class SocketWSServer extends SocketServer {
         try {
           this.enforceAuth(ws);
           ws.tenant = ws.request.tenant;
-          ws.user = ws.request.user.id;
+          ws.user = ws.request.user?.id;
           const facade = {
             service,
             socket: ws,

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@`
`54`	`54`	`"@eslint/js": "9.4.0",`
`55`	`55`	`"@sap/cds": "^7.9.2",`
`56`	`56`	`"@sap/cds-dk": "^7.9.2",`
`57`		`- "@sap/xssec": "4.0.0",`
	`57`	`+ "@sap/xssec": "4.0.1",`
`58`	`58`	`"@socket.io/redis-adapter": "^8.3.0",`
`59`	`59`	`"@socket.io/redis-streams-adapter": "^0.2.2",`
`60`	`60`	`"@types/express": "^4.17.21",`
`@@ -132,6 +132,21 @@`
`132`	`132`	`"type": "boolean",`
`133`	`133`	`"description": "Enable websocket adapter in local environment",`
`134`	`134`	`"default": false`
	`135`	`+ },`
	`136`	`+ "vcap": {`
	`137`	`+ "type": "object",`
	`138`	`+ "description": "VCAP service environment",`
	`139`	`+ "properties": {`
	`140`	`+ "label": {`
	`141`	`+ "type": "string",`
	`142`	`+ "description": "VCAP service label"`
	`143`	`+ },`
	`144`	`+ "tag": {`
	`145`	`+ "type": "string",`
	`146`	`+ "description": "VCAP service tag"`
	`147`	`+ }`
	`148`	`+ },`
	`149`	`+ "additionalProperties": true`
`135`	`150`	`}`
`136`	`151`	`}`
`137`	`152`	`}`
`@@ -145,7 +160,7 @@`
`145`	`160`	`}`
`146`	`161`	`}`
`147`	`162`	`},`
`148`		`- "weboscket": {`
	`163`	`+ "websocket": {`
`149`	`164`	`"kind": "ws"`
`150`	`165`	`}`
`151`	`166`	`}`
Original file line number	Diff line number	Diff line change
`@@ -351,15 +351,15 @@ function deriveElements(event, data) {`
`351`	`351`	`function deriveUser(event, data, headers, req) {`
`352`	`352`	`if ((headers?.wsExcludeCurrentUser \|\| headers?.excludeCurrentUser) !== undefined) {`
`353`	`353`	`if (headers?.wsExcludeCurrentUser \|\| headers?.excludeCurrentUser) {`
`354`		`- return req.context.user.id;`
	`354`	`+ return req.context.user?.id;`
`355`	`355`	`}`
`356`	`356`	`return;`
`357`	`357`	`}`
`358`	`358`	`let user =`
`359`	`359`	`event["@websocket.user"] \|\| event["@ws.user"] \|\| event["@websocket.broadcast.user"] \|\| event["@ws.broadcast.user"];`
`360`	`360`	`switch (user) {`
`361`	`361`	`case "excludeCurrent":`
`362`		`- return req.context.user.id;`
	`362`	`+ return req.context.user?.id;`
`363`	`363`	`}`
`364`	`364`	`if (event.elements) {`
`365`	`365`	`for (const name in event.elements) {`
`@@ -371,7 +371,7 @@ function deriveUser(event, data, headers, req) {`
`371`	`371`	`element["@ws.broadcast.user"];`
`372`	`372`	`switch (user) {`
`373`	`373`	`case "excludeCurrent":`
`374`		`- return data[name] ? req.context.user.id : undefined;`
	`374`	`+ return data[name] ? req.context.user?.id : undefined;`
`375`	`375`	`}`
`376`	`376`	`}`
`377`	`377`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ const createClientBase = (options = {}) => {`
`56`	`56`	`}`
`57`	`57`	`let credentials;`
`58`	`58`	`try {`
`59`		`- credentials = xsenv.serviceCredentials({ label: "redis-cache" });`
	`59`	`+ credentials = xsenv.serviceCredentials({ label: "redis-cache", ...cds.env.websocket?.adapter?.vcap });`
`60`	`60`	`} catch (err) {`
`61`	`61`	`LOG?.info(err.message);`
`62`	`62`	`}`