Do not forward messages to Firebase if topic is not world-readable
This commit is contained in:
parent
936e95fd9e
commit
198e2cfd90
5 changed files with 53 additions and 37 deletions
|
@ -64,8 +64,8 @@ type User struct {
|
||||||
// Grant is a struct that represents an access control entry to a topic
|
// Grant is a struct that represents an access control entry to a topic
|
||||||
type Grant struct {
|
type Grant struct {
|
||||||
TopicPattern string // May include wildcard (*)
|
TopicPattern string // May include wildcard (*)
|
||||||
Read bool
|
AllowRead bool
|
||||||
Write bool
|
AllowWrite bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// Permission represents a read or write permission to a topic
|
// Permission represents a read or write permission to a topic
|
||||||
|
|
|
@ -281,8 +281,8 @@ func (a *SQLiteAuth) readGrants(username string) ([]Grant, error) {
|
||||||
}
|
}
|
||||||
grants = append(grants, Grant{
|
grants = append(grants, Grant{
|
||||||
TopicPattern: fromSQLWildcard(topic),
|
TopicPattern: fromSQLWildcard(topic),
|
||||||
Read: read,
|
AllowRead: read,
|
||||||
Write: write,
|
AllowWrite: write,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
return grants, nil
|
return grants, nil
|
||||||
|
|
|
@ -144,11 +144,11 @@ func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
|
fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
|
||||||
} else if len(user.Grants) > 0 {
|
} else if len(user.Grants) > 0 {
|
||||||
for _, grant := range user.Grants {
|
for _, grant := range user.Grants {
|
||||||
if grant.Read && grant.Write {
|
if grant.AllowRead && grant.AllowWrite {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.TopicPattern)
|
fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.TopicPattern)
|
||||||
} else if grant.Read {
|
} else if grant.AllowRead {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.TopicPattern)
|
fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.TopicPattern)
|
||||||
} else if grant.Write {
|
} else if grant.AllowWrite {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.TopicPattern)
|
fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.TopicPattern)
|
||||||
} else {
|
} else {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.TopicPattern)
|
fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.TopicPattern)
|
||||||
|
|
|
@ -117,14 +117,6 @@ const (
|
||||||
// New instantiates a new Server. It creates the cache and adds a Firebase
|
// New instantiates a new Server. It creates the cache and adds a Firebase
|
||||||
// subscriber (if configured).
|
// subscriber (if configured).
|
||||||
func New(conf *Config) (*Server, error) {
|
func New(conf *Config) (*Server, error) {
|
||||||
var firebaseSubscriber subscriber
|
|
||||||
if conf.FirebaseKeyFile != "" {
|
|
||||||
var err error
|
|
||||||
firebaseSubscriber, err = createFirebaseSubscriber(conf)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
var mailer mailer
|
var mailer mailer
|
||||||
if conf.SMTPSenderAddr != "" {
|
if conf.SMTPSenderAddr != "" {
|
||||||
mailer = &smtpSender{config: conf}
|
mailer = &smtpSender{config: conf}
|
||||||
|
@ -151,6 +143,14 @@ func New(conf *Config) (*Server, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
var firebaseSubscriber subscriber
|
||||||
|
if conf.FirebaseKeyFile != "" {
|
||||||
|
var err error
|
||||||
|
firebaseSubscriber, err = createFirebaseSubscriber(conf, auther)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
return &Server{
|
return &Server{
|
||||||
config: conf,
|
config: conf,
|
||||||
cache: cache,
|
cache: cache,
|
||||||
|
@ -172,7 +172,7 @@ func createCache(conf *Config) (cache, error) {
|
||||||
return newMemCache(), nil
|
return newMemCache(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func createFirebaseSubscriber(conf *Config) (subscriber, error) {
|
func createFirebaseSubscriber(conf *Config, auther auth.Auther) (subscriber, error) {
|
||||||
fb, err := firebase.NewApp(context.Background(), nil, option.WithCredentialsFile(conf.FirebaseKeyFile))
|
fb, err := firebase.NewApp(context.Background(), nil, option.WithCredentialsFile(conf.FirebaseKeyFile))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -182,7 +182,7 @@ func createFirebaseSubscriber(conf *Config) (subscriber, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return func(m *message) error {
|
return func(m *message) error {
|
||||||
var data map[string]string // Matches https://ntfy.sh/docs/subscribe/api/#json-message-format
|
var data map[string]string // Mostly matches https://ntfy.sh/docs/subscribe/api/#json-message-format
|
||||||
switch m.Event {
|
switch m.Event {
|
||||||
case keepaliveEvent, openEvent:
|
case keepaliveEvent, openEvent:
|
||||||
data = map[string]string{
|
data = map[string]string{
|
||||||
|
@ -192,6 +192,11 @@ func createFirebaseSubscriber(conf *Config) (subscriber, error) {
|
||||||
"topic": m.Topic,
|
"topic": m.Topic,
|
||||||
}
|
}
|
||||||
case messageEvent:
|
case messageEvent:
|
||||||
|
allowForward := true
|
||||||
|
if auther != nil {
|
||||||
|
allowForward = auther.Authorize(nil, m.Topic, auth.PermissionRead) == nil
|
||||||
|
}
|
||||||
|
if allowForward {
|
||||||
data = map[string]string{
|
data = map[string]string{
|
||||||
"id": m.ID,
|
"id": m.ID,
|
||||||
"time": fmt.Sprintf("%d", m.Time),
|
"time": fmt.Sprintf("%d", m.Time),
|
||||||
|
@ -211,6 +216,16 @@ func createFirebaseSubscriber(conf *Config) (subscriber, error) {
|
||||||
data["attachment_expires"] = fmt.Sprintf("%d", m.Attachment.Expires)
|
data["attachment_expires"] = fmt.Sprintf("%d", m.Attachment.Expires)
|
||||||
data["attachment_url"] = m.Attachment.URL
|
data["attachment_url"] = m.Attachment.URL
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
// If anonymous read for a topic is not allowed, we cannot send the message along
|
||||||
|
// via Firebase. Instead, we send a "poll_request" message, asking the client to poll.
|
||||||
|
data = map[string]string{
|
||||||
|
"id": m.ID,
|
||||||
|
"time": fmt.Sprintf("%d", m.Time),
|
||||||
|
"event": pollRequestEvent,
|
||||||
|
"topic": m.Topic,
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
var androidConfig *messaging.AndroidConfig
|
var androidConfig *messaging.AndroidConfig
|
||||||
if m.Priority >= 4 {
|
if m.Priority >= 4 {
|
||||||
|
|
|
@ -11,6 +11,7 @@ const (
|
||||||
openEvent = "open"
|
openEvent = "open"
|
||||||
keepaliveEvent = "keepalive"
|
keepaliveEvent = "keepalive"
|
||||||
messageEvent = "message"
|
messageEvent = "message"
|
||||||
|
pollRequestEvent = "poll_request"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
|
Loading…
Reference in a new issue