Fix relay protocol hijack (#162)

Edoardo Gallo · web-flow · commit 3d42f3ee3792 · 2019-08-21T18:18:22.000+02:00
* move _jwtAuth property to BrowserSession

* add signature to Relay client

* use signature to hijack prev protocol

* remove protocol from the storage on disconnect

* update js and react-native CHANGELOGs
diff --git a/packages/common/src/BaseSession.ts b/packages/common/src/BaseSession.ts
@@ -10,6 +10,7 @@ import { ADD, REMOVE, SwEvent, BladeMethod, NOTIFICATION_TYPE } from './util/con
 import { BroadcastParams, ISignalWireOptions, SubscribeParams, IBladeConnectResult } from './util/interfaces'
 import { Subscription, Connect, Reauthenticate } from './messages/Blade'
 import { isFunction } from './util/helpers'
+import { sessionStorage } from './util/storage/'
 
 export default abstract class BaseSession {
   public uuid: string = uuidv4()
@@ -18,6 +19,7 @@ export default abstract class BaseSession {
   public nodeid: string
   public master_nodeid: string
   public expiresAt: number = 0
+  public signature: string = null
   public relayProtocol: string = null
   public contexts: string[] = []
 
@@ -138,6 +140,7 @@ export default abstract class BaseSession {
     this.subscriptions = {}
     this._autoReconnect = false
     this._removeConnection()
+    await sessionStorage.removeItem(this.signature)
     this._executeQueue = []
     this._detachListeners()
   }
@@ -219,9 +222,10 @@ export default abstract class BaseSession {
     const response: IBladeConnectResult = await this.execute(bc).catch(this._handleLoginError)
     if (response) {
       this._autoReconnect = true
-      this.relayProtocol = await Setup(this)
-      const { sessionid, nodeid, master_nodeid, authorization: { expires_at = null } = {} } = response
+      const { sessionid, nodeid, master_nodeid, authorization: { expires_at = null, signature = null } = {} } = response
       this.expiresAt = +expires_at || 0
+      this.signature = signature
+      this.relayProtocol = await Setup(this)
       this._checkTokenExpiration()
       this.sessionid = sessionid
       this.nodeid = nodeid
diff --git a/packages/common/src/BrowserSession.ts b/packages/common/src/BrowserSession.ts
@@ -22,8 +22,9 @@ export default abstract class BrowserSession extends BaseSession {
   private _iceServers: RTCIceServer[] = []
   private _localElement: HTMLMediaElement = null
   private _remoteElement: HTMLMediaElement = null
-  protected _reconnectDelay: number = 1000
 
+  protected _jwtAuth: boolean = true
+  protected _reconnectDelay: number = 1000
   protected _devices: ICacheDevices = {}
   protected _audioConstraints: boolean | MediaTrackConstraints = true
   protected _videoConstraints: boolean | MediaTrackConstraints = false
diff --git a/packages/common/src/services/Setup.ts b/packages/common/src/services/Setup.ts
@@ -10,16 +10,15 @@ const SETUP_CHANNEL = 'notifications'
 export default async (session: BaseSession): Promise<string> => {
   // TODO: service as an empty string for now. Remove it accordingly to Blade changes
   const params: { service: '', protocol?: string } = { service: '' }
-  const storageKey = `${session.options.project}-setup`
-  const currentProtocol = await sessionStorage.getItem(storageKey)
-  if (currentProtocol) {
-    params.protocol = currentProtocol
+  const prevProtocol = await sessionStorage.getItem(session.signature)
+  if (prevProtocol) {
+    params.protocol = prevProtocol
   }
   const be = new Execute({ protocol: SETUP_PROTOCOL, method: SETUP_METHOD, params })
   const { protocol = null } = await session.execute(be)
   if (protocol) {
     await session.subscribe({ protocol, channels: [SETUP_CHANNEL] })
-    await sessionStorage.setItem(storageKey, protocol)
+    await sessionStorage.setItem(session.signature, protocol)
   } else {
     logger.error('Error during setup the session protocol.')
   }
diff --git a/packages/common/src/util/interfaces.ts b/packages/common/src/util/interfaces.ts
@@ -24,6 +24,7 @@ export interface IBladeConnectResult extends IMessageBase {
   protocols_uncertified: string[]
   authorization: {
     expires_at: number
+    signature: string
   }
 }
 
diff --git a/packages/js/CHANGELOG.md b/packages/js/CHANGELOG.md
@@ -4,26 +4,8 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
-### Added
-- Expose moderator methods on the Call object.
-- A notification that belongs to a Call now contains a reference to the call itself.
-- Set/Get default `localElement` for the client to handle the localStream for all calls.
-- Set/Get default `remoteElement` for the client to handle the remoteStream for all calls.
-- newCall() method now accepts `localElement` and `remoteElement` to override the default ones.
-- Set default audio & video settings.
-- Expose speedTest() method.
-- Force SDP to use plan-b.
-- Set default iceServers.
-- User can now join conferences without audio & video.
-- Expose static method uuid().
-- Retrieve supported resolution during client init
-- Add property `resolutions` to get supported resolutions.
-- Add async method `refreshResolutions()` to refresh cached resolutions
-### Changed
-- client.connect() is now async to check browser permissions before open the websocket connection.
-- client.supportedResolutions() now returns a device list for each resolution supported.
-### Removed
-- `chatChannel` / `infoChannel` / `conferenceChannel` have been removed from the `conferenceUpdate` notification (**join** & **leave** actions).
+### Fixed
+- Try to re-establish the previous protocol only if the signature has not changed.
 ### Security
 - Update dependencies
 
diff --git a/packages/js/src/SignalWire.ts b/packages/js/src/SignalWire.ts
@@ -4,8 +4,6 @@ import { Execute } from '../../common/src/messages/Blade'
 import BaseRequest from '../../common/src/messages/verto/BaseRequest'
 
 export default class SignalWire extends BrowserSession {
-  protected _jwtAuth: boolean = true
-
   execute(message: BaseMessage) {
     let msg: BaseMessage = message
     if (message instanceof BaseRequest) {
diff --git a/packages/react-native/CHANGELOG.md b/packages/react-native/CHANGELOG.md
@@ -4,7 +4,11 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Fixed
+- Try to re-establish the previous protocol only if the signature has not changed.
 
+## [1.0.0] - 2019-06-28
+## First Release!
 
 <!---
 ### Added
diff --git a/packages/react-native/src/Relay.ts b/packages/react-native/src/Relay.ts
@@ -4,8 +4,6 @@ import { Execute } from '../../common/src/messages/Blade'
 import BaseRequest from '../../common/src/messages/verto/BaseRequest'
 
 export default class Relay extends BrowserSession {
-  protected _jwtAuth: boolean = true
-
   execute(message: BaseMessage) {
     let msg: BaseMessage = message
     if (message instanceof BaseRequest) {

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ export interface IBladeConnectResult extends IMessageBase {`
`24`	`24`	`protocols_uncertified: string[]`
`25`	`25`	`authorization: {`
`26`	`26`	`expires_at: number`
	`27`	`+ signature: string`
`27`	`28`	`}`
`28`	`29`	`}`
`29`	`30`