f650d2591b
- make addTreeNode receivers idempotent (invalidateOnCreatePage guard + buildTree dedup) so the author's self-echo no longer duplicates the node - broadcast realtime tree updates for bulk copy/duplicate and import via a root refetch: PAGE_CREATED now carries spaceId and the WS listener falls back to refetchRootTreeNodeEvent when no per-node snapshot is present - remove the now-dead client-relay inbound path (isTreeEvent/handleTreeEvent) that remained a stale-restriction-cache attack surface - honest string|null cast for a root move's parent id - add tests: buildTree dedup; onPageCreated per-node vs refetch branching Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
90 lines
2.5 KiB
TypeScript
90 lines
2.5 KiB
TypeScript
import {
|
|
MessageBody,
|
|
OnGatewayConnection,
|
|
OnGatewayInit,
|
|
SubscribeMessage,
|
|
WebSocketGateway,
|
|
WebSocketServer,
|
|
} from '@nestjs/websockets';
|
|
import { Server, Socket } from 'socket.io';
|
|
import { TokenService } from '../core/auth/services/token.service';
|
|
import { JwtPayload, JwtType } from '../core/auth/dto/jwt-payload';
|
|
import { OnModuleDestroy } from '@nestjs/common';
|
|
import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
|
|
import { WsService } from './ws.service';
|
|
import { getSpaceRoomName, getUserRoomName } from './ws.utils';
|
|
import * as cookie from 'cookie';
|
|
|
|
@WebSocketGateway({
|
|
cors: { origin: '*' },
|
|
transports: ['websocket'],
|
|
})
|
|
export class WsGateway
|
|
implements OnGatewayConnection, OnGatewayInit, OnModuleDestroy
|
|
{
|
|
@WebSocketServer()
|
|
server: Server;
|
|
|
|
constructor(
|
|
private tokenService: TokenService,
|
|
private spaceMemberRepo: SpaceMemberRepo,
|
|
private wsService: WsService,
|
|
) {}
|
|
|
|
afterInit(server: Server): void {
|
|
this.wsService.setServer(server);
|
|
}
|
|
|
|
async handleConnection(client: Socket, ...args: any[]): Promise<void> {
|
|
try {
|
|
const cookies = cookie.parse(client.handshake.headers.cookie);
|
|
const token: JwtPayload = await this.tokenService.verifyJwt(
|
|
cookies['authToken'],
|
|
JwtType.ACCESS,
|
|
);
|
|
|
|
const userId = token.sub;
|
|
const workspaceId = token.workspaceId;
|
|
|
|
client.data.userId = userId;
|
|
|
|
const userSpaceIds = await this.spaceMemberRepo.getUserSpaceIds(userId);
|
|
|
|
const userRoom = getUserRoomName(userId);
|
|
const workspaceRoom = `workspace-${workspaceId}`;
|
|
const spaceRooms = userSpaceIds.map((id) => getSpaceRoomName(id));
|
|
|
|
client.join([userRoom, workspaceRoom, ...spaceRooms]);
|
|
} catch (err) {
|
|
client.emit('Unauthorized');
|
|
client.disconnect();
|
|
}
|
|
}
|
|
|
|
@SubscribeMessage('message')
|
|
handleMessage(_client: Socket, _data: any): void {
|
|
// Inbound tree events from clients are no longer accepted: tree updates are
|
|
// now server-authoritative (broadcast by PageWsListener from domain events).
|
|
// The old client-relay path was removed to close that attack surface.
|
|
}
|
|
|
|
/*
|
|
@SubscribeMessage('join-room')
|
|
handleJoinRoom(client: Socket, @MessageBody() roomName: string): void {
|
|
// if room is a space, check if user has permissions
|
|
//client.join(roomName);
|
|
}
|
|
|
|
@SubscribeMessage('leave-room')
|
|
handleLeaveRoom(client: Socket, @MessageBody() roomName: string): void {
|
|
client.leave(roomName);
|
|
}
|
|
*/
|
|
|
|
onModuleDestroy() {
|
|
if (this.server) {
|
|
this.server.close();
|
|
}
|
|
}
|
|
}
|