Secure backend socket.io from other applications that can access localhost i.e. browser

packages/backend/src/backendManager.ts

@@ -24,6 +24,7 @@ program
   .option('-a, --appDataPath <string>', 'Path of application data directory')
   .option('-d, --socketIOPort <number>', 'Socket io data server port')
   .option('-r, --resourcesPath <string>', 'Application resources path')
+  .option('-scrt, --socketIOSecret <string>', 'socketIO secret')
 
 program.parse(process.argv)
 const options = program.opts()
@@ -33,6 +34,7 @@ console.log('options', options)
 interface OpenServices {
   torControlPort?: any
   socketIOPort?: any
+  socketIOSecret?: any
   httpTunnelPort?: any
   authCookie?: any
 }
@@ -52,6 +54,7 @@ export const runBackendDesktop = async () => {
   const app = await NestFactory.createApplicationContext(
     AppModule.forOptions({
       socketIOPort: options.socketIOPort,
+      socketIOSecret: options.socketIOSecret,
       torBinaryPath: torBinForPlatform(resourcesPath),
       torResourcesPath: torDirForPlatform(resourcesPath),
       torControlPort: await getPort(),
@@ -97,6 +100,7 @@ export const runBackendMobile = async (): Promise<any> => {
   app = await NestFactory.createApplicationContext(
     AppModule.forOptions({
       socketIOPort: options.dataPort,
+      socketIOSecret: options.socketIOSecret,
       httpTunnelPort: options.httpTunnelPort ? options.httpTunnelPort : null,
       torAuthCookie: options.authCookie ? options.authCookie : null,
       torControlPort: options.controlPort ? options.controlPort : await getPort(),
@@ -120,6 +124,7 @@ export const runBackendMobile = async (): Promise<any> => {
     app = await NestFactory.createApplicationContext(
       AppModule.forOptions({
         socketIOPort: msg.socketIOPort,
+        socketIOSecret: msg.socketIOSecret,
         httpTunnelPort: msg.httpTunnelPort ? msg.httpTunnelPort : null,
         torAuthCookie: msg.authCookie ? msg.authCookie : null,
         torControlPort: msg.torControlPort ? msg.torControlPort : await getPort(),
@@ -133,7 +138,6 @@ export const runBackendMobile = async (): Promise<any> => {
       }),
       { logger: ['warn', 'error', 'log', 'debug', 'verbose'] }
     )
-    console.log('started backend wiktor little bastard ')
   })
 }
 

packages/backend/src/nest/app.module.ts

@@ -32,7 +32,7 @@ import { Server as SocketIO } from 'socket.io'
 import { StorageModule } from './storage/storage.module'
 import { IpfsModule } from './ipfs/ipfs.module'
 import { Level } from 'level'
-import { getCors } from './common/utils'
+import { verifyToken } from '@quiet/common'
 
 @Global()
 @Module({
@@ -94,10 +94,47 @@ export class AppModule {
             _app.use(cors())
             const server = createServer(_app)
             const io = new SocketIO(server, {
-              cors: getCors(),
+              cors: {
+                origin: '127.0.0.1',
+                allowedHeaders: ['authorization'],
+                credentials: true,
+              },
               pingInterval: 1000_000,
               pingTimeout: 1000_000,
             })
+            io.engine.use((req, res, next) => {
+              const authHeader = req.headers['authorization']
+              if (!authHeader) {
+                console.error('No authorization header')
+                res.writeHead(401, 'No authorization header')
+                res.end()
+                return
+              }
+
+              const token = authHeader && authHeader.split(' ')[1]
+              if (!token) {
+                console.error('No auth token')
+                res.writeHead(401, 'No authorization token')
+                res.end()
+                return
+              }
+
+              if (!options.socketIOSecret) {
+                console.error('No socketIoSecret')
+                res.writeHead(401, 'No socketIoSecret')
+                res.end()
+                return
+              }
+
+              if (verifyToken(options.socketIOSecret, token)) {
+                next()
+              } else {
+                console.error('Wrong basic token')
+                res.writeHead(401, 'Unauthorized')
+                res.end()
+              }
+            })
+
             return { server, io }
           },
           inject: [EXPRESS_PROVIDER],

packages/backend/src/nest/socket/socket.service.ts

@@ -16,7 +16,6 @@ import {
   Community,
   DeleteFilesFromChannelSocketPayload,
 } from '@quiet/types'
-import cors, { CorsOptions } from 'cors'
 import EventEmitter from 'events'
 import { CONFIG_OPTIONS, SERVER_IO_PROVIDER } from '../const'
 import { ConfigOptions, ServerIoProviderTypes } from '../types'
@@ -132,6 +131,7 @@ export class SocketService extends EventEmitter implements OnModuleInit {
         this.logger(`Creating network for community ${community.id}`)
         this.emit(SocketActionTypes.CREATE_NETWORK, community)
       })
+
       socket.on(SocketActionTypes.LEAVE_COMMUNITY, async () => {
         this.logger('leaving community')
         this.emit(SocketActionTypes.LEAVE_COMMUNITY)

packages/backend/src/nest/types.ts

@@ -5,6 +5,7 @@ import { Server as SocketIO } from 'socket.io'
 export class ConnectionsManagerTypes {
   options: Partial<ConnectionsManagerOptions>
   socketIOPort: number
+  socketIOSecret?: string
   httpTunnelPort?: number
   torAuthCookie?: string
   torControlPort?: number