All geek questions in one place

Javascript-websocket client library that can pass custom headers in an acknowledgment request

I need a javascript library to connect to my web socket server, which is implemented using python twisted. I tried my own javascript web cellular client, but it has no way to pass custom headers according to this link . My web socket server does authentication by taking auth_token from the handshake header, as in the Oauth2 standard. Is there a javascript library for web sockets that allows you to pass a custom header when connecting?

+3
source share
1 answer

I'm sorry that I am bad news ... but - as mentioned in the question you are referring to, and as you can learn from the standard Websocket API (this is not an external library, this is what comes with the browser) ... you You cannot set your own headers for network connections.

The constructor of WebSocket (url, protocols) takes one or two arguments. The first url argument specifies the URL to connect to. Secondly, the protocols, if any, are either a string or an array of strings .... Each row in the array is a subprotocol name. A connection will be established only if the server reports that it has selected one of these routines ....

But all is not lost.

Since this is YOUR web server, you have options:

  • I'm sure OAuth2 uses the token as a parameter to request GET or POST and NOT as a custom header. This means that (perhaps) you can pass the token as part of the connection string, i.e.:

    websocket = new WebSocket('wss://my.server.com/?access_token=secret_acess_token');

    Passing a session token as such may not be ideal, but it may pose a security risk ... so I would go with the second options here:

  • New connections to web directories (unless my browsers are special) are initiated with the same cookies with which the main connection was established, which means that all cookies and session data from the Http level are accessible to the web memory level. ...

    This way you can set a unique cookie - or, even better (assuming that your http and websocket share the same code base and work well together), set the authentication token in the session store on the server side - and use these data to authenticate the connection or refuse it.

Since I'm not a Python expert, here is a small demo using Ruby Plesi Structure (I'm the author):

 require 'plezi' class DemoCtrl # this is the Http index page response def index response.write "#{cookies[:notice]}\n\n" if cookies[:notice] && (cookies[:notice] = nil).nil? #returning a string automatically appends it to the response. "We have cookies where we can place data:\n#{request.cookies.to_s}\n" end # the login page def login cookies[:my_token] = "a secret token" cookies[:notice] = "logged in" redirect_to :index end # the logout page def logout cookies[:my_token] = nil cookies[:notice] = "logged out" redirect_to :index end # a Plezi callback, called before a websocket connection is accepted. # it great place for authentication. def pre_connect puts "Websocket connections gave us cookies where we can place data:\n#{request.cookies.to_s}\n" return false unless cookies.to_s[:my_token] == "a secret token" # returning true allows the connection to be established true end def on_message data puts "echoing #{data}" response << "echo: #{data}" end end # setup the route to our demo Plezi.route '/', DemoCtrl # Plezi will start once the script is finished. # if you are running this in irb, use: exit

visit: http: // loaclhost: 3000 /

to try to start the website, open the web inspector and run the following script in the console:

 ws = new WebSocket("ws://localhost:3000/"); ws.onopen = function(e) { console.log("open"); }; ws.onmessage = function(e) { console.log(e.data);}; ws.send("Go Bears");

It must be FAIL, because we have not authenticated yet ...

visit http: // loaclhost: 3000 / login and try again.

Now it should work.

Try http: // loaclhost: 3000 / logout if you like it.

+6
source

Source: https://habr.com/ru/post/1246119/

More articles:


All Articles