Auth and redis improvements

Author: oklemenz2

CHANGELOG.md

@@ -5,11 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## Version 1.5.2 - 2025-02-xx
+## Version 1.5.2 - 2025-01-10
 
 ### Fixed
 
-- tbd
+- Fix fallback to redis configuration `cds.requires.redis`
+- Check for authenticated user during websocket connection (no anonymous)
+- Improve start log `using websocket` including adapter information
+- Improve server shutdown redis client handling
 
 ## Version 1.5.1 - 2025-01-09
 

README.md

@@ -1558,7 +1558,7 @@ To use the Redis Adapter (basic publish/subscribe), the following steps have to
     {
       "cds": {
         "requires": {
-          "redis-websocket": null,
+          "redis-websocket": false,
           "redis": {
             "vcap": {
               "tag": "ws-redis"

jest.config.js

@@ -12,7 +12,7 @@ module.exports = {
   coverageThreshold: {
     global: {
       branches: 80,
-      functions: 95,
+      functions: 90,
       lines: 90,
       statements: 90,
     },

package-lock.json

@@ -6,6 +6,7 @@ const SocketServer = require("./socket/base");
 const redis = require("./redis");
 
 const LOG = cds.log("/websocket");
+const TIMEOUT_SHUTDOWN = 2500;
 
 const WebSocketAction = {
   Connect: "wsConnect",
@@ -24,7 +25,7 @@ const collectServicesAndMountAdapter = (srv, options) => {
       serveWebSocketServer(options);
     });
     cds.on("shutdown", async () => {
-      await redis.closeClients();
+      await shutdownWebSocketServer();
     });
   }
   services[srv.name] = srv;
@@ -85,7 +86,10 @@ function serveWebSocketServer(options) {
           serveWebSocketService(socketServer, eventService, options);
         }
       }
-      LOG?.info("using websocket", { kind: cds.env.websocket.kind, adapter: socketServer.adapterActive });
+      LOG?.info("using websocket", {
+        kind: cds.env.websocket.kind,
+        adapter: socketServer.adapter ? { impl: socketServer.adapterImpl, active: socketServer.adapterActive } : false,
+      });
     }
   });
 }
@@ -108,6 +112,26 @@ async function initWebSocketServer(server, path) {
   }
 }
 
+async function shutdownWebSocketServer() {
+  return await new Promise((resolve, reject) => {
+    const timeoutRef = setTimeout(() => {
+      clearTimeout(timeoutRef);
+      LOG?.info("Shutdown timeout reached!");
+      resolve();
+    }, TIMEOUT_SHUTDOWN);
+    redis
+      .closeClients()
+      .then((result) => {
+        clearTimeout(timeoutRef);
+        resolve(result);
+      })
+      .catch((err) => {
+        clearTimeout(timeoutRef);
+        reject(err);
+      });
+  });
+}
+
 function normalizeServicePath(servicePath, protocolPath) {
   if (servicePath.startsWith(`${protocolPath}/`)) {
     return servicePath.substring(`${protocolPath}/`.length);
@@ -447,7 +471,7 @@ function deriveCurrentUser(event, data, headers, req) {
   }
 }
 
-function deriveDefinedUser(event, data, headers, req) {
+function deriveDefinedUser(event, data, headers) {
   const include = combineValues(
     deriveValues(event, data, headers, {
       headerNames: ["wsUsers", "wsUser", "users", "user"],

src/index.js

@@ -47,10 +47,10 @@ const createClientBase = (options = {}) => {
   const adapterActiveExplicit = !!options?.active;
   const adapterLocal = !!options?.local;
   if (!(IS_ON_CF || adapterActiveExplicit || adapterLocal)) {
-    LOG?.info("Redis not available in local environment");
+    LOG?.info("Redis is not activated for local environment");
     return;
   }
-  const requiresRedis = cds.env.requires?.["redis-websocket"] ?? cds.env.requires?.redis;
+  const requiresRedis = cds.env.requires?.["redis-websocket"] || cds.env.requires?.redis;
   const credentials = requiresRedis?.credentials;
   if (!credentials) {
     LOG?.info("No Redis credentials found");

src/redis/index.js

@@ -22,6 +22,7 @@ class SocketServer {
     this.path = path;
     this.config = config;
     this.adapter = null;
+    this.adapterImpl = null;
     this.adapterActive = false;
     cds.ws = null;
   }
@@ -199,16 +200,6 @@ class SocketServer {
    */
   close(socket, code, reason) {}
 
-  /**
-   * Enforce that socket request is authenticated
-   * @param {Object} socket Server socket
-   */
-  enforceAuth(socket) {
-    if (socket.request.isAuthenticated && !socket.request.isAuthenticated()) {
-      throw new Error("403 - Forbidden");
-    }
-  }
-
   /**
    * Middlewares executed before
    * @returns {[function]} Returns a list of middleware functions
@@ -222,7 +213,7 @@ class SocketServer {
    * @returns {[function]} Returns a list of middleware functions
    */
   afterMiddlewares() {
-    return [this.removeWrapNext.bind(this)];
+    return [this.enforceAuth.bind(this), this.removeWrapNext.bind(this)];
   }
 
   /**
@@ -372,6 +363,19 @@ class SocketServer {
     }
   }
 
+  /**
+   * Enforce that socket request is authenticated (no anonymous)
+   * @param {Object} socket Server socket
+   */
+  enforceAuth(socket, next) {
+    if (cds.context?.user?._is_anonymous || (socket.request.isAuthenticated && !socket.request.isAuthenticated())) {
+      const err = new Error("401");
+      err.code = 4401;
+      return next(err);
+    }
+    next();
+  }
+
   /**
    * Require implementation
    * @param {String} impl Implementation name or path

src/socket/base.js

@@ -30,7 +30,6 @@ class SocketIOServer extends SocketServer {
     const format = this.format(service, undefined, "json");
     io.on("connection", async (socket) => {
       try {
-        this.enforceAuth(socket);
         socket.context = { ...cds.context };
         socket.join(room({ tenant: socket.context.tenant }));
         if (socket.context.user?.id) {
@@ -282,6 +281,7 @@ class SocketIOServer extends SocketServer {
           }
           if (this.adapter) {
             this.io.adapter(this.adapter);
+            this.adapterImpl = config.impl;
             this.adapterActive = true;
           }
         }

src/socket/socket.io.js

@@ -67,7 +67,6 @@ class SocketWSServer extends SocketServer {
           return;
         }
         try {
-          this.enforceAuth(ws);
           ws.context = { ...cds.context };
           ws.facade = {
             service,
@@ -275,6 +274,7 @@ class SocketWSServer extends SocketServer {
         if (adapterFactory) {
           this.adapter = new adapterFactory(this, config);
           await this.adapter?.setup?.();
+          this.adapterImpl = config.impl;
           this.adapterActive = !!this.adapter?.client;
         }
       }

src/socket/ws.js

@@ -1,10 +1,10 @@
 {
+  "COOKIE_BACKWARD_COMPATIBILITY": true,
   "destinations": [
     {
       "name": "srv",
       "url": "http://localhost:4004",
       "forwardAuthToken": true
     }
-  ],
-  "COOKIE_BACKWARD_COMPATIBILITY": true
+  ]
 }