Pass CSRF token using Sec-WebSocket-Protocol header

iarenaza · iarenaza · commit ab7d90fe3856 · 2025-04-05T17:04:50.000+02:00
The proposed change tries to respect other values in the Sec-WebSocket-Protocol header, that the caller may have set in the `headers` option when calling `make-channel-socket-client!` [Re: #418]
diff --git a/src/taoensso/sente.cljc b/src/taoensso/sente.cljc
@@ -369,6 +369,8 @@
   (allow-origin? #{"http://site.com"} {:headers {"referer" "http://attacker.com/"}})
   (allow-origin? #{"http://site.com"} {:headers {"referer" "http://site.com.attacker.com/"}}))
 
+(def ^:private sente-csrf-token-prefix "sente-csrf-token-")
+
 (defn make-channel-socket-server!
   "Takes a web server adapter[1] and returns a map with keys:
 
@@ -633,6 +635,20 @@
           ;; undefined):
           nil)
 
+        sente-csrf-token-pred
+        (fn [s]
+          (when (str/starts-with? s sente-csrf-token-prefix)
+            (subs s (count sente-csrf-token-prefix))))
+
+        ws-csrf-token
+        (fn [ring-req]
+          (let [ws? (= "websocket" (get-in ring-req [:headers "upgrade"]))
+                sec-websocket-protocol (get-in ring-req [:headers "sec-websocket-protocol"])
+                protocol-vals (when (and ws? (string? sec-websocket-protocol))
+                                (-> sec-websocket-protocol
+                                    (str/split #", *")))]
+            (some sente-csrf-token-pred protocol-vals)))
+
         bad-csrf?
         (fn [ring-req]
           (if (nil? csrf-token-fn) ; Provides a way to disable CSRF check
@@ -642,7 +658,8 @@
                     (or
                       (get-in ring-req [:params    :csrf-token])
                       (get-in ring-req [:headers "x-csrf-token"])
-                      (get-in ring-req [:headers "x-xsrf-token"]))]
+                      (get-in ring-req [:headers "x-xsrf-token"])
+                      (ws-csrf-token ring-req))]
 
                 (not
                   (enc/const-str=
@@ -1316,7 +1333,8 @@
                   (enc/oget @?node-npm-websocket_ "w3cwebsocket"))]
 
        (delay
-         (let [socket (WebSocket. uri-str)]
+         (let [protocols (:sec-websocket-protocol headers)
+               socket (WebSocket. uri-str protocols)]
            (doto socket
              (aset "onerror"   on-error)
              (aset "onmessage" on-message) ; Nb receives both push & cb evs!
@@ -1569,13 +1587,19 @@
                           {:on-error   on-error
                            :on-message on-message
                            :on-close   on-close
-                           :headers    headers
+                           :headers    (update headers :sec-websocket-protocol
+                                               (fn [x]
+                                                 (let [csrf-token (str sente-csrf-token-prefix
+                                                                     (get-client-csrf-token-str :dynamic
+                                                                       (:csrf-token @state_)))]
+                                                   (cond
+                                                     (string? x) [x csrf-token]
+                                                     (coll? x) (conj x csrf-token)
+                                                     :else csrf-token))))
                            :uri-str
                            (enc/merge-url-with-query-string url
                              (merge params ; 1st (don't clobber impl.):
-                               {:client-id  client-id
-                                :csrf-token (get-client-csrf-token-str :dynamic
-                                              (:csrf-token @state_))}))}))
+                               {:client-id client-id}))}))
 
                       (catch #?(:clj Throwable :cljs :default) t
                         (timbre/errorf t "Error creating WebSocket client")
