Authentication for encrypted channels

Benjaminpjacobs · Benjaminpjacobs · commit e725f23ac0ba · 2020-10-19T13:58:04.000-06:00
Authenticated encrypted channels needs to include a step that
generates and packages the shared secret that the client will use
to decrypt messages.

Only in the instance that the channel name has the 'private-encrypted`
prefix will we generate and include a shared_secret key.

If there is no encryption_master_key but the channel is prefixed with
encrypted we will simply send back null.
diff --git a/lib/pusher/channel.rb b/lib/pusher/channel.rb
@@ -174,6 +174,15 @@ def authenticate(socket_id, custom_data = nil)
       r
     end
 
+    def shared_secret(encryption_master_key)
+      return unless encryption_master_key
+
+      secret_string = @name + encryption_master_key
+      digest = OpenSSL::Digest::SHA256.new
+      digest << secret_string
+      Base64.strict_encode64(digest.digest)
+    end
+
     private
 
     def validate_socket_id(socket_id)
diff --git a/lib/pusher/client.rb b/lib/pusher/client.rb
@@ -375,7 +375,11 @@ def notify(interests, data = {})
     #
     def authenticate(channel_name, socket_id, custom_data = nil)
       channel_instance = channel(channel_name)
-      channel_instance.authenticate(socket_id, custom_data)
+      r = channel_instance.authenticate(socket_id, custom_data)
+      if channel_name.match(/^private-encrypted-/)
+        r[:shared_secret] = channel_instance.shared_secret(encryption_master_key)
+      end
+      r
     end
 
     # @private Construct a net/http http client
diff --git a/spec/channel_spec.rb b/spec/channel_spec.rb
@@ -167,4 +167,21 @@ def authentication_string(*data)
       }.to raise_error Pusher::Error
     end
   end
+
+  describe `#shared_secret` do
+    before(:each) do
+      @channel.instance_variable_set(:@name, 'private-encrypted-1')
+    end
+
+    it 'should return a shared_secret based on the channel name and encryption master key' do
+      key = '3W1pfB/Etr+ZIlfMWwZP3gz8jEeCt4s2pe6Vpr+2c3M='
+      shared_secret = @channel.shared_secret(key)
+      expect(shared_secret).to eq("6zeEp/chneRPS1cbK/hGeG860UhHomxSN6hTgzwT20I=")
+    end
+
+    it 'should return nil if missing encryption master key' do
+      shared_secret = @channel.shared_secret(nil)
+      expect(shared_secret).to be_nil
+    end
+  end
 end
diff --git a/spec/client_spec.rb b/spec/client_spec.rb
@@ -276,6 +276,19 @@
           })
         end
 
+        it 'should include a shared_secret if the private-encrypted channel' do
+          allow(MultiJson).to receive(:encode).with(@custom_data).and_return 'a json string'
+          @client.instance_variable_set(:@encryption_master_key, '3W1pfB/Etr+ZIlfMWwZP3gz8jEeCt4s2pe6Vpr+2c3M=')
+
+          response = @client.authenticate('private-encrypted-test_channel', '1.1', @custom_data)
+
+          expect(response).to eq({
+            :auth => "12345678900000001:#{hmac(@client.secret, "1.1:private-encrypted-test_channel:a json string")}",
+            :shared_secret => "o0L3QnIovCeRC8KTD8KBRlmi31dGzHVS2M93uryqDdw=",
+            :channel_data => 'a json string'
+          })
+        end
+
       end
 
       describe '#trigger' do
