Blame | Last modification | View Log | RSS feed
<?phpnamespace Ratchet\Http;use Ratchet\ConnectionInterface;use Ratchet\MessageComponentInterface;use Psr\Http\Message\RequestInterface;/*** A middleware to ensure JavaScript clients connecting are from the expected domain.* This protects other websites from open WebSocket connections to your application.* Note: This can be spoofed from non-web browser clients*/class OriginCheck implements HttpServerInterface {use CloseResponseTrait;/*** @var \Ratchet\MessageComponentInterface*/protected $_component;public $allowedOrigins = [];/*** @param MessageComponentInterface $component Component/Application to decorate* @param array $allowed An array of allowed domains that are allowed to connect from*/public function __construct(MessageComponentInterface $component, array $allowed = []) {$this->_component = $component;$this->allowedOrigins += $allowed;}/*** {@inheritdoc}*/public function onOpen(ConnectionInterface $conn, RequestInterface $request = null) {$header = (string)$request->getHeader('Origin')[0];$origin = parse_url($header, PHP_URL_HOST) ?: $header;if (!in_array($origin, $this->allowedOrigins)) {return $this->close($conn, 403);}return $this->_component->onOpen($conn, $request);}/*** {@inheritdoc}*/function onMessage(ConnectionInterface $from, $msg) {return $this->_component->onMessage($from, $msg);}/*** {@inheritdoc}*/function onClose(ConnectionInterface $conn) {return $this->_component->onClose($conn);}/*** {@inheritdoc}*/function onError(ConnectionInterface $conn, \Exception $e) {return $this->_component->onError($conn, $e);}}