// WebsocketHandler handles an incoming WebSocket and dispatches to the correct
// handler based on whether the user is authenticated and whether the session
// he's viewing belongs to him.
func WebsocketHandler(s *websocket.Conn, dbStore *Store, sessionStore sessions.Store, redisAddr string) {
StatCount("websocket", 1)
xlog.Infof("WebsocketHandler: opened connection")
r := s.Request()
session, err := sessionStore.Get(r, SESSIONNAME)
if err != nil {
xlog.Debugf("Getting session failed: %v", err)
StatCount("getting session failed", 1)
return
}
sessionData := struct {
SessionID string `json:"session_id"`
}{}
if err := websocket.JSON.Receive(s, &sessionData); err != nil {
xlog.Errorf("WebsocketHandler: JSON.Receive failed: %v", err)
return
}
owner, sessionID, err := dbStore.GetOwnerForSession(sessionData.SessionID)
if err != nil {
xlog.Errorf("GetOwnerForSession failed: %v", err)
return
}
if session.Values["userID"] == nil {
xlog.Errorf("WebsocketHandler is not authenticated -> slave handler")
slaveHandler(s, sessionID, dbStore, redisAddr)
} else if owner == session.Values["userID"].(int) {
xlog.Infof("WebSocketHandler owner matches -> master handler")
masterHandler(s, sessionID, dbStore, redisAddr)
} else {
xlog.Infof("WebSocketHandler owner doesn't match -> slave handler")
slaveHandler(s, sessionID, dbStore, redisAddr)
}
}
func VerifyXSRFToken(w http.ResponseWriter, r *http.Request, sessionStore sessions.Store, secureCookie *securecookie.SecureCookie) bool {
xsrftoken := r.Header.Get(XSRFTOKENHEADER)
userID := ""
err := secureCookie.Decode(XSRFTOKEN, xsrftoken, &userID)
if err == nil {
session, _ := sessionStore.Get(r, SESSIONNAME)
if userID != "" && userID == session.Values["username"].(string) {
xlog.Infof("XSRF verification success for user %s", session.Values["username"].(string))
return true
}
xlog.Errorf("XSRF issue: userID = %s session = %s", userID, session.Values["username"].(string))
}
xlog.Errorf("XSRF verification failed: %v (Request: %#v", err, *r)
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
StatCount("XSRF verification failed", 1)
return false
}