使用 socket.io 和 Laravel Echo 时如何保护私有频道？

Question

这是我的server.js 文件：

var app = require('express')();
var http = require('http').Server(app);
var io = require('socket.io')(http);
var Redis = require('ioredis');
var redis = new Redis();

http.listen(3000, function(){
    console.log('Listening on Port 3000');
});

redis.psubscribe('*', function(err, count) {
    console.log(err, count);
});
redis.on('pmessage', function(subscribed, channel, message) {
    message = JSON.parse(message);
    io.emit(message.event, channel, message.data);
});

还有一个简单的事件：

class FieldWasUpdated implements ShouldBroadcast
{
    use InteractsWithSockets, SerializesModels;
    public $instance;
    public $key;
    public $value;

    public function __construct($instance, $key, $value)
    {
        $this->instance = $instance;
        $this->key = $key;
        $this->value = $value;
    }

    public function broadcastOn()
    {
        return new PrivateChannel("model." . $this->instance->getModelType() . "." . $this->instance->id);
    }
}

客户端连接socket.io：

Echo = new Echo({
    broadcaster: 'socket.io',
    host: window.location.hostname + ':3000'
});

然后监听事件（在 Blade 模板中）：

var channel = "model.{{ $instance->getModelType() }}.{{ $instance->id }}";
Echo.private(channel)
    .listen("FieldWasUpdated", function(e) {
        window.VueBus.$emit("updated", channel, e.key, e.value);
    })
    .listen("FieldBecameDisabled", function(e) {
        window.VueBus.$emit("disabled", channel, e.key);
    });

问题是：没有处理认证，任何用户都可以订阅这些频道。

Broadcast::channel("model.announcement.*", function($user, $id) {
    return false; // this function is not called
})

这是来自 Chrome 开发者控制台 (WebSocket) 的示例事件：

[
    "App\\Events\\FieldWasUpdated",
    "private-model.announcement.2",
    {
        "instance":
        {
            "type":"ANN_TYPE_MISSED_CALL",
            "status":"ANN_STATUS_CANCELLED",
            "name":"1233421",
            "phone":"+7(222)222-3322",
            "email":"sdgsg@mail.com",
            "message":"sdgdsgsdgdfdg",
            "requirement":null,
            "web_type":"ANN_WEB_TYPE_UNKNOWN",
            "url":null,
            "responsible_id":19,
            "recommender_id":18
        },
        "key":"message",
        "value":"sdgdsgsdgdfdg"
    }
]

同样没有/broadcast/auth URL，但BroadcastServiceProvider 调用了Broadcast::routes();，当浏览器加载时，不会调用/broadcast/auth。

Answer 1

Laravel 文档在广播一章中对此进行了详细介绍：https://laravel.com/docs/5.5/broadcasting#presence-channels。 Authorizing Presence Channels 部分应该与私人频道相同。