[1.x] Add support for wildcard allowed origins (#233)

* Add support for wildcard allowed origins * Extend tests to include checks for wildcard options * Remove redundant code from FakeConnection * Format array notation * formatting --------- Co-authored-by: Joe Dixon <[email protected]>
laravel · Aug 1, 2024 · 43ebb6f · 43ebb6f
1 parent 5a8e9c6
commit 43ebb6f
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 20 deletions.
diff --git a/src/Protocols/Pusher/Server.php b/src/Protocols/Pusher/Server.php
@@ -125,8 +125,12 @@ protected function verifyOrigin(Connection $connection): void
 
         $origin = parse_url($connection->origin(), PHP_URL_HOST);
 
-        if (! $origin || ! in_array($origin, $allowedOrigins)) {
-            throw new InvalidOrigin;
+        foreach ($allowedOrigins as $allowedOrigin) {
+            if (Str::is($allowedOrigin, $origin)) {
+                return;
+            }
         }
+
+        throw new InvalidOrigin;
     }
 }
diff --git a/tests/FakeConnection.php b/tests/FakeConnection.php
@@ -34,11 +34,13 @@ class FakeConnection extends BaseConnection
     /**
      * Create a new fake connection instance.
      */
-    public function __construct(?string $identifier = null)
+    public function __construct(?string $identifier = null, ?string $origin = null)
     {
         if ($identifier) {
             $this->identifier = $identifier;
         }
+
+        $this->origin = $origin ?? 'http://localhost';
     }
 
     /**
@@ -69,14 +71,6 @@ public function app(): Application
         return app()->make(ApplicationProvider::class)->findByKey('reverb-key');
     }
 
-    /**
-     * Get the origin of the connection.
-     */
-    public function origin(): string
-    {
-        return 'http://localhost';
-    }
-
     /**
      * Set the connection last seen at timestamp.
      */

diff --git a/tests/Unit/Protocols/Pusher/ServerTest.php b/tests/Unit/Protocols/Pusher/ServerTest.php
@@ -282,9 +282,9 @@
         ->with($connection);
 });
 
-it('it rejects a connection from an invalid origin', function () {
-    $this->app['config']->set('reverb.apps.apps.0.allowed_origins', ['laravel.com']);
-    $this->server->open($connection = new FakeConnection);
+it('it rejects a connection from an invalid origin', function (string $origin, array $allowedOrigins) {
+    $this->app['config']->set('reverb.apps.apps.0.allowed_origins', $allowedOrigins);
+    $this->server->open($connection = new FakeConnection(origin: $origin));
 
     $connection->assertReceived([
         'event' => 'pusher:error',
@@ -293,11 +293,24 @@
             'message' => 'Origin not allowed',
         ]),
     ]);
-});
-
-it('accepts a connection from an valid origin', function () {
-    $this->app['config']->set('reverb.apps.0.allowed_origins', ['localhost']);
-    $this->server->open($connection = new FakeConnection);
+})->with([
+    'localhost' => [
+        'http://localhost',
+        ['laravel.com'],
+    ],
+    'subdomain' => [
+        'http://sub.laravel.com',
+        ['laravel.com'],
+    ],
+    'wildcard' => [
+        'http://laravel.com',
+        ['*.laravel.com'],
+    ],
+]);
+
+it('accepts a connection from an valid origin', function (string $origin, array $allowedOrigins) {
+    $this->app['config']->set('reverb.apps.apps.0.allowed_origins', $allowedOrigins);
+    $this->server->open($connection = new FakeConnection(origin: $origin));
 
     $connection->assertReceived([
         'event' => 'pusher:connection_established',
@@ -306,4 +319,13 @@
             'activity_timeout' => 30,
         ]),
     ]);
-});
+})->with([
+    'localhost' => [
+        'http://localhost',
+        ['localhost'],
+    ],
+    'wildcard' => [
+        'http://sub.localhost',
+        ['localhost', '*.localhost'],
+    ],
+]);