Security fix : don't broadcast messages to unauthenticated clients

WSRequestHandler.cpp

@@ -104,6 +104,10 @@ void WSRequestHandler::sendTextMessage(QString textMessage) {
 	_client->sendTextMessage(textMessage);
 }
 
+bool WSRequestHandler::isAuthenticated() {
+	return _authenticated;
+}
+
 WSRequestHandler::~WSRequestHandler() {
 	if (_requestData != NULL) {
 		obs_data_release(_requestData);
@@ -140,7 +144,7 @@ void WSRequestHandler::HandleGetVersion(WSRequestHandler *owner) {
 	obs_data_set_double(data, "version", 1.1);
 	obs_data_set_string(data, "obs-websocket-version", OBS_WEBSOCKET_VERSION);
 	//obs_data_set_string(data, "obs-studio-version", OBS_VERSION); // Wrong
-	
+
 	owner->SendOKResponse(data);
 
 	obs_data_release(data);

WSRequestHandler.h

@@ -32,6 +32,7 @@ class WSRequestHandler : public QObject
 		explicit WSRequestHandler(QWebSocket *client);
 		~WSRequestHandler();
 		void sendTextMessage(QString textMessage);
+		bool isAuthenticated();
 
 	private Q_SLOTS:
 		void processTextMessage(QString textMessage);

WSServer.cpp

@@ -18,6 +18,7 @@ with this program. If not, see <https://www.gnu.org/licenses/>
 
 #include "WSServer.h"
 #include "WSRequestHandler.h"
+#include "Config.h"
 #include <QtWebSockets/QWebSocketServer>
 #include <QtWebSockets/QWebSocket>
 #include <QtCore/QDebug>
@@ -54,6 +55,12 @@ WSServer::~WSServer()
 void WSServer::broadcast(QString message)
 {
 	Q_FOREACH(WSRequestHandler *pClient, _clients) {
+		if (Config::Current()->AuthRequired == true 
+			&& pClient->isAuthenticated() == false) {
+			// Skip this client if unauthenticated
+			continue;
+		}
+
 		pClient->sendTextMessage(message);
 	}
 }