diff --git a/auth-sample.json b/auth-sample.json index d6d9ff6..0912507 100644 --- a/auth-sample.json +++ b/auth-sample.json @@ -1,7 +1,7 @@ { "WGV99fSwgKhdQSa89HQIGxas": [ {"method":"send","params":{"recipient":["+16028675309"]}}, - {"method":"send","params":{"groupID":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}} + {"method":"send","params":{"groupId":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}} ], "ZQR3T6lqsvnXcgcWhpPOWWdv": [ {"method":"receive","params":{"envelope":{"source":"67a13c3e-8d29-2539-ce8e-41129c349d6d"}}} diff --git a/auth/json.go b/auth/json.go index 138a353..e42d431 100644 --- a/auth/json.go +++ b/auth/json.go @@ -51,6 +51,19 @@ func match(request any, filter any) bool { // Cannot find a match for something in the filter if !foundMatch {return false} } + // And the other way around + for i := 0; i < len(filter.([]any)); i ++ { + foundMatch := false; + // That something matches in the request + for j := 0; j < len(request.([]any)); j ++ { + if match(filter.([]any)[i], request.([]any)[j]) { + foundMatch = true; + break + } + } + // Cannot find a match for something in the filter + if !foundMatch {return false} + } return true; diff --git a/auth/readme.md b/auth/readme.md index b35afc5..c387cf5 100644 --- a/auth/readme.md +++ b/auth/readme.md @@ -8,7 +8,7 @@ Here's a sample auth JSON: { "WGV99fSwgKhdQSa89HQIGxas": [ {"method":"send","params":{"recipient":["+16028675309"]}}, - {"method":"send","params":{"groupID":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}}, + {"method":"send","params":{"groupId":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}}, ], "ZQR3T6lqsvnXcgcWhpPOWWdv": [ {"method":"receive","params":{"envelope":{"source":"67a13c3e-8d29-2539-ce8e-41129c349d6d"}}} @@ -21,15 +21,17 @@ When an HTTP request comes in, this software will do the following: 1. Check that there's an `Authorization` header 2. Get the authorization header's value (bearer token) 3. Read the JSON array corresponding to the bearer token. -4. See if any JSON object in that array (called a filter) does not have any data the request JSON doesn't. +4. See if any JSON object in that array (called a filter) does not have any data the request JSON doesn't, except for arrays which must match excactly. 5. If the statement in step 4 is true, forward the request into the signal-cli process and return the response. So for example, the reqest `{"method":"send","params":{"recipient":["+16028675309"],"message":"message"},"id":"SomeID"},` would be allowed by the filter `{"method":"send","params":{"recipient":["+16028675309"]}}` because the filter does not have any data the request does not. But `{"method":"send","params":{"recipient":["+5555555555"],"message":"message"},"id":"SomeID"},` would not because the phone number differs. +Note: items in arrays must "match" exactly, but items in items in arrays follow normal rules. So the request `{"method":"send","params":{"recipient":["+16028675309","someBadNumber"]}}` would NOT match the filter `{"method":"send","params":{"recipient":["+16028675309",]}}` + These filters can be as granular as you want. Here's what each filter JSON object in the above sample JSON does: `{"method":"send","params":{"recipient":["+16028675309"]}}` allows sending to `+16028675309` (any message, timestamp, etc.) -`{"method":"send","params":{"groupID":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}}`: allows sending to group `67a13c3e-8d29-2539-ce8e-41129c349d6d` (any message, timestamp, etc.) +`{"method":"send","params":{"groupId":["67a13c3e-8d29-2539-ce8e-41129c349d6d"]}}`: allows sending to group `67a13c3e-8d29-2539-ce8e-41129c349d6d` (any message, timestamp, etc.) `{"method":"receive","params":{"envelope":{"source":"67a13c3e-8d29-2539-ce8e-41129c349d6d"}}}` allows receiving from group `67a13c3e-8d29-2539-ce8e-41129c349d6d` \ No newline at end of file