使用socket.io和Laravel Echo时如何保护私人频道?

时间:2017-02-07 09:51:44

标签: laravel websocket socket.io laravel-5.3 laravel-echo

这是我的server.js文件:

var app = require('express')();
var http = require('http').Server(app);
var io = require('socket.io')(http);
var Redis = require('ioredis');
var redis = new Redis();

http.listen(3000, function(){
    console.log('Listening on Port 3000');
});

redis.psubscribe('*', function(err, count) {
    console.log(err, count);
});
redis.on('pmessage', function(subscribed, channel, message) {
    message = JSON.parse(message);
    io.emit(message.event, channel, message.data);
});

一个简单的事件:

class FieldWasUpdated implements ShouldBroadcast
{
    use InteractsWithSockets, SerializesModels;
    public $instance;
    public $key;
    public $value;

    public function __construct($instance, $key, $value)
    {
        $this->instance = $instance;
        $this->key = $key;
        $this->value = $value;
    }

    public function broadcastOn()
    {
        return new PrivateChannel("model." . $this->instance->getModelType() . "." . $this->instance->id);
    }
}

客户端连接到socket.io:

Echo = new Echo({
    broadcaster: 'socket.io',
    host: window.location.hostname + ':3000'
});

然后侦听事件(它在Blade模板中):

var channel = "model.{{ $instance->getModelType() }}.{{ $instance->id }}";
Echo.private(channel)
    .listen("FieldWasUpdated", function(e) {
        window.VueBus.$emit("updated", channel, e.key, e.value);
    })
    .listen("FieldBecameDisabled", function(e) {
        window.VueBus.$emit("disabled", channel, e.key);
    });

问题是:未处理身份验证,任何用户都可以订阅这些渠道。

Broadcast::channel("model.announcement.*", function($user, $id) {
    return false; // this function is not called
})

以下是Chrome开发者控制台(WebSocket)的示例事件:

[
    "App\\Events\\FieldWasUpdated",
    "private-model.announcement.2",
    {
        "instance":
        {
            "type":"ANN_TYPE_MISSED_CALL",
            "status":"ANN_STATUS_CANCELLED",
            "name":"1233421",
            "phone":"+7(222)222-3322",
            "email":"sdgsg@mail.com",
            "message":"sdgdsgsdgdfdg",
            "requirement":null,
            "web_type":"ANN_WEB_TYPE_UNKNOWN",
            "url":null,
            "responsible_id":19,
            "recommender_id":18
        },
        "key":"message",
        "value":"sdgdsgsdgdfdg"
    }
]

此外,没有/broadcast/auth网址,但BroadcastServiceProvider可以调用Broadcast::routes();,当浏览器加载时,不会调用/broadcast/auth

1 个答案:

答案 0 :(得分:0)

Laravel文档在广播章节中详细介绍了这一点:https://laravel.com/docs/5.5/broadcasting#presence-channels。私有频道的授权存在频道部分应该相同。