Skip to content

Commit

Permalink
fix: prevent sending expired tokens (#437)
Browse files Browse the repository at this point in the history
code does a quick check on the exp of a token to prevent it from being sent to realtime
  • Loading branch information
filipecabaco authored Nov 27, 2024
1 parent 82e9966 commit 2b4051f
Show file tree
Hide file tree
Showing 4 changed files with 241 additions and 39 deletions.
146 changes: 132 additions & 14 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
"@supabase/node-fetch": "^2.6.14",
"@types/phoenix": "^1.5.4",
"@types/ws": "^8.5.10",
"ws": "^8.14.2"
"ws": "^8.18.0"
},
"devDependencies": {
"@arethetypeswrong/cli": "^0.16.2",
Expand All @@ -51,6 +51,7 @@
"esm": "^3.2.25",
"jsdom": "^16.7.0",
"jsdom-global": "3.0.0",
"jsonwebtoken": "^9.0.2",
"mock-socket": "^9.0.3",
"npm-run-all": "^4.1.5",
"nyc": "^15.1.0",
Expand All @@ -62,4 +63,4 @@
"vitest": "^2.0.5",
"web-worker": "1.2.0"
}
}
}
18 changes: 18 additions & 0 deletions src/RealtimeClient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,24 @@ export default class RealtimeClient {
* @param token A JWT string.
*/
setAuth(token: string | null): void {
if (token) {
let parsed = null
try {
parsed = JSON.parse(atob(token.split('.')[1]))
} catch (_error) {}
if (parsed && parsed.exp) {
let now = Math.floor(Date.now() / 1000)
let valid = now - parsed.exp < 0
if (!valid) {
this.log(
'auth',
`provided token has expired, not sending it to realtime`
)
return
}
}
}

this.accessToken = token

this.channels.forEach((channel) => {
Expand Down
Loading

0 comments on commit 2b4051f

Please sign in to comment.