Description:

Currently, WebSocket endpoints (e.g., message notifications) lack access control checks to determine if a connected user has the necessary permissions to read or interact with certain resources. This introduces a potential security risk where unauthorized users could receive or emit messages for rooms or data they shouldn’t access.

We should introduce a middleware mechanism (similar to the ability checks used in controller actions) that enforces permission checks on WebSocket events such as room joins, message subscriptions, etc.

Proposed Solution:

• Create an ability or authorization middleware specifically for WebSocket gateways.

• This middleware should:

  • Validate user permissions before allowing them to listen to or join a specific room.
  • Be reusable across different WebSocket events.

• Consider creating a shared ability/authorization module that can bridge the user module and WebSocket gateway logic to ensure consistent permission handling across both HTTP and WS layers.

Benefits:

• Improved security and access control for real-time features.
• Consistent permission logic across REST and WebSocket layers.
• Better extensibility and maintainability for future WS features.

Related: Authorization logic already exists for controllers, and can be a good starting point for abstraction.