From 7d40e00263319fa0f5a76154dc274b25b49555db Mon Sep 17 00:00:00 2001
From: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date: Thu, 27 Feb 2025 20:31:26 +0100
Subject: [PATCH] root: deny unauthenticated websocket messages consumer

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
---
 authentik/root/messages/consumer.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/authentik/root/messages/consumer.py b/authentik/root/messages/consumer.py
index 964ea6bba1..6e3782ba79 100644
--- a/authentik/root/messages/consumer.py
+++ b/authentik/root/messages/consumer.py
@@ -1,5 +1,6 @@
 """websocket Message consumer"""
 
+from channels.exceptions import DenyConnection
 from channels.generic.websocket import JsonWebsocketConsumer
 from django.core.cache import cache
 
@@ -13,6 +14,8 @@ class MessageConsumer(JsonWebsocketConsumer):
     session_key: str
 
     def connect(self):
+        if not self.scope["user"].is_authenticated():
+            raise DenyConnection()
         self.accept()
         self.session_key = self.scope["session"].session_key
         if not self.session_key: