Fixing authentication

2025-07-28 23:12:47 -07:00 · 2025-07-28 23:12:47 -07:00 · d302f39719
commit d302f39719
parent e2fabf8cea
3 changed files with 19 additions and 4 deletions
--- a/auth-sample.json
+++ b/auth-sample.json
@ -1,7 +1,7 @@
 {
 	"WGV99fSwgKhdQSa89HQIGxas": [
 		{"method":"send","params":{"recipient":["+16028675309"]}},
-		{"method":"send","params":{"groupID":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}}
+		{"method":"send","params":{"groupId":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}}
 	],
 	"ZQR3T6lqsvnXcgcWhpPOWWdv": [
 		{"method":"receive","params":{"envelope":{"source":"67a13c3e-8d29-2539-ce8e-41129c349d6d"}}}
--- a/auth/json.go
+++ b/auth/json.go
@ -51,6 +51,19 @@ func match(request any, filter any) bool {
 				// Cannot find a match for something in the filter
 				if !foundMatch {return false}
 			}
+			// And the other way around
+			for i := 0; i < len(filter.([]any)); i ++ {
+				foundMatch := false;
+				// That something matches in the request
+				for j := 0; j < len(request.([]any)); j ++ {
+					if match(filter.([]any)[i], request.([]any)[j]) {
+						foundMatch = true;
+						break
+					}
+				}
+				// Cannot find a match for something in the filter
+				if !foundMatch {return false}
+			}
 			
 			return true;
 		
--- a/auth/readme.md
+++ b/auth/readme.md
@ -8,7 +8,7 @@ Here's a sample auth JSON:
 {
 	"WGV99fSwgKhdQSa89HQIGxas": [
 		{"method":"send","params":{"recipient":["+16028675309"]}},
-		{"method":"send","params":{"groupID":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}},
+		{"method":"send","params":{"groupId":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}},
 	],
 	"ZQR3T6lqsvnXcgcWhpPOWWdv": [
 		{"method":"receive","params":{"envelope":{"source":"67a13c3e-8d29-2539-ce8e-41129c349d6d"}}}
@ -21,15 +21,17 @@ When an HTTP request comes in, this software will do the following:
 1. Check that there's an `Authorization` header
 2. Get the authorization header's value (bearer token)
 3. Read the JSON array corresponding to the bearer token.
-4. See if any JSON object in that array (called a filter) does not have any data the request JSON doesn't.
+4. See if any JSON object in that array (called a filter) does not have any data the request JSON doesn't, except for arrays which must match excactly.
 5. If the statement in step 4 is true, forward the request into the signal-cli process and return the response.

 So for example, the reqest `{"method":"send","params":{"recipient":["+16028675309"],"message":"message"},"id":"SomeID"},` would be allowed by the filter `{"method":"send","params":{"recipient":["+16028675309"]}}` because the filter does not have any data the request does not. But `{"method":"send","params":{"recipient":["+5555555555"],"message":"message"},"id":"SomeID"},` would not because the phone number differs.

+Note: items in arrays must "match" exactly, but items in items in arrays follow normal rules. So the request `{"method":"send","params":{"recipient":["+16028675309","someBadNumber"]}}` would NOT match the filter `{"method":"send","params":{"recipient":["+16028675309",]}}` 
+
 These filters can be as granular as you want.

 Here's what each filter JSON object in the above sample JSON does: 

 `{"method":"send","params":{"recipient":["+16028675309"]}}` allows sending to `+16028675309` (any message, timestamp, etc.)
-`{"method":"send","params":{"groupID":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}}`: allows sending to group `67a13c3e-8d29-2539-ce8e-41129c349d6d` (any message, timestamp, etc.)
+`{"method":"send","params":{"groupId":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}}`: allows sending to group `67a13c3e-8d29-2539-ce8e-41129c349d6d` (any message, timestamp, etc.)
 `{"method":"receive","params":{"envelope":{"source":"67a13c3e-8d29-2539-ce8e-41129c349d6d"}}}` allows receiving from group `67a13c3e-8d29-2539-ce8e-41129c349d6d`