security: add ACL check for WebSocket subscriptions

melvincarvalho · melvincarvalho · commit 03b5ff48c09b · 2026-01-07T09:05:45.000+01:00
Check WAC read permission before allowing WebSocket subscriptions. This prevents information leakage via notifications to unauthorized users. - Add authorizeSubscription callback for solid-ws - Check ACL read access before allowing subscription - Deny subscription returns 'err <url> forbidden' - Currently treats all WS connections as anonymous (TODO: auth integration) Depends on: nodeSolidServer/node-solid-ws#29 Fixes #1334
diff --git a/lib/create-server.mjs b/lib/create-server.mjs
@@ -6,6 +6,8 @@ import SolidWs from 'solid-ws'
 import globalTunnel from 'global-tunnel-ng'
 import debug from './debug.mjs'
 import createApp from './create-app.mjs'
+import ACLChecker from './acl-checker.mjs'
+import url from 'url'
 
 function createServer (argv, app) {
   argv = argv || {}
@@ -96,7 +98,46 @@ function createServer (argv, app) {
 
   // Setup Express app
   if (ldp.live) {
-    const solidWs = SolidWs(server, ldpApp)
+    // Authorization callback for WebSocket subscriptions
+    // Checks ACL read permission before allowing subscription
+    const authorizeSubscription = function (iri, req, callback) {
+      // TODO: Extract userId from session cookie or Authorization header
+      // For now, treat all WebSocket connections as anonymous
+      // This still prevents anonymous access to private resources
+      const userId = null
+
+      try {
+        const parsedUrl = url.parse(iri)
+        const resourcePath = decodeURIComponent(parsedUrl.pathname)
+        const hostname = parsedUrl.hostname || req.headers.host?.split(':')[0]
+        const rootUrl = ldp.resourceMapper.resolveUrl(hostname)
+        const resourceUrl = rootUrl + resourcePath
+
+        // Create a minimal request-like object for ACLChecker
+        const pseudoReq = {
+          hostname,
+          path: resourcePath,
+          get: (header) => req.headers[header.toLowerCase()]
+        }
+
+        const aclChecker = ACLChecker.createFromLDPAndRequest(resourceUrl, ldp, pseudoReq)
+
+        aclChecker.can(userId, 'Read')
+          .then(allowed => {
+            debug.ACL(`WebSocket subscription ${allowed ? 'allowed' : 'denied'} for ${iri} (user: ${userId || 'anonymous'})`)
+            callback(null, allowed)
+          })
+          .catch(err => {
+            debug.ACL(`WebSocket ACL check error for ${iri}: ${err.message}`)
+            callback(null, false)
+          })
+      } catch (err) {
+        debug.ACL(`WebSocket authorization error: ${err.message}`)
+        callback(null, false)
+      }
+    }
+
+    const solidWs = SolidWs(server, ldpApp, { authorize: authorizeSubscription })
     ldpApp.locals.ldp.live = solidWs.publish.bind(solidWs)
   }
 
