I have a temporary signed url which I use to allow logged in users, who don't own the room gain access. So anyone with the link can access the room.
This page has a websocket where only the user who owns the room, or anyone who has a valid temp signed url can access.
The issue is that the websocket auth url is http:://localhost/broadcasting/auth and this is not a valid request signature. The HTTP_REFERER contains the valid temp signed url.
How can I validate my http referer's url instead of the current broadcast auth url?
// channels
Broadcast::channel('room.{room}', static function (User $user, Room $room) {
return $user->can('view', $room);
});
// RoomPolicy
public function view(User $user, Room $Room): bool
{
// Only the broadcast auth has a HTTP_REFERER
$request = Request();
$httpReferer = $request->server('HTTP_REFERER');
// Try to set the url and see if that will validate. It doesn't
if ($httpReferer) {
$request->replace([
'url' => $httpReferer,
]);
$validSign = $request->hasValidSignature(true);
}
// This will work for the initial page load, as the user has the correct temp signed url
// But will fail when trying to auth the broadcast channel, since that is not the signed url created
return Request()->hasValidSignature() || $room->user_id === $user->id;
}
I was thinking I'd need to mimic how the valid signature is checked vendor/laravel/framework/src/Illuminate/Routing/UrlGenerator.php and replace the current request with all those details.
Or reimplement the hasValidSignature except with just the http_referer url
