Skip to content

security: add ACL check for WebSocket subscriptions #1840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
melvincarvalho wants to merge 1 commit into
base: main
Choose a base branch
from
Open

security: add ACL check for WebSocket subscriptions #1840

melvincarvalho wants to merge 1 commit into from
+42 −1

Conversation

@melvincarvalho
Copy link
Contributor

@melvincarvalho melvincarvalho commented Jan 7, 2026

Summary

Check WAC read permission before allowing WebSocket subscriptions. This prevents information leakage via notifications to unauthorized users.

Changes

  • Add authorizeSubscription callback for solid-ws
  • Check ACL read access before allowing subscription
  • Denied subscriptions receive err <url> forbidden
  • Currently treats all WS connections as anonymous (see note below)

Dependencies

⚠️ This PR requires nodeSolidServer/node-solid-ws#29 to be merged and released first.

The solid-ws package needs the new authorize callback option before this can work.

Future enhancement

Currently all WebSocket connections are treated as anonymous for ACL purposes. This still prevents the main vulnerability (anonymous users subscribing to private resources).

Full authenticated WebSocket subscriptions would require either:

  • Parsing session cookies and looking up the session
  • Validating Authorization header bearer tokens

This can be added in a follow-up PR.

Fixes #1334

@melvincarvalho
security: add ACL check for WebSocket subscriptions
03b5ff4 
Check WAC read permission before allowing WebSocket subscriptions.
This prevents information leakage via notifications to unauthorized users.

- Add authorizeSubscription callback for solid-ws
- Check ACL read access before allowing subscription
- Deny subscription returns 'err <url> forbidden'
- Currently treats all WS connections as anonymous (TODO: auth integration)

Depends on: nodeSolidServer/node-solid-ws#29
Fixes nodeSolidServer#1334
@melvincarvalho
Copy link
Contributor Author

melvincarvalho commented Jan 7, 2026

For historical context, this issue was first raised in 2015 (#143) and Tim Berners-Lee described it as a "serious bug":

the lack of authentication is a serious bug with the current protocol

@timbl in solid/notifications#3

@bourgeoa
Copy link
Member

bourgeoa commented Jan 7, 2026

@melvincarvalho can you recreate your PR to https://github.com/nodeSolidServer/node-solid-server/tree/websocket-acl-check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Websockets does not check .acl

2 participants

@melvincarvalho @bourgeoa