fix(api): add an authenticated access policy to the websocket endpoint (#1979)

* fix(api): add an authenticated access policy to the websocket endpoint * refactor(api): centralize EndpointAccess validation * feat(api): validate id query parameter for the /websocket/exec endpoint
2025-07-23 07:19:41 +02:00 · 2018-06-18 11:56:31 +02:00 · 2018-06-18 11:56:31 +02:00 · da5a430b8c
commit da5a430b8c
parent f3ce5c25de
14 changed files with 100 additions and 124 deletions
--- a/api/http/handler/websocket/handler.go
+++ b/api/http/handler/websocket/handler.go
@ -1,12 +1,11 @@
 package websocket

 import (
-	"net/http"
-
 	"github.com/gorilla/mux"
 	"github.com/gorilla/websocket"
 	"github.com/portainer/portainer"
 	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
 )

 // Handler is the HTTP handler used to handle websocket operations.
@ -14,15 +13,18 @@ type Handler struct {
 	*mux.Router
 	EndpointService    portainer.EndpointService
 	SignatureService   portainer.DigitalSignatureService
+	requestBouncer     *security.RequestBouncer
 	connectionUpgrader websocket.Upgrader
 }

 // NewHandler creates a handler to manage websocket operations.
-func NewHandler() *Handler {
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	h := &Handler{
 		Router:             mux.NewRouter(),
 		connectionUpgrader: websocket.Upgrader{},
+		requestBouncer:     bouncer,
 	}
-	h.Handle("/websocket/exec", httperror.LoggerHandler(h.websocketExec)).Methods(http.MethodGet)
+	h.PathPrefix("/websocket/exec").Handler(
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.websocketExec)))
 	return h
 }