Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

basic authentication for websockets

When I create a new websocket using chrome

new WebSocket('ws://gert:[email protected]:8001/dbname')

The nodejs server receives

GET /dbname HTTP/1.1
Upgrade: WebSocket
Connection: Upgrade
Host: 127.0.0.1:8001
Origin: http://127.0.0.1:8000
Sec-WebSocket-Key1: '  5 5) 4 1e   a9 9 0 19
Sec-WebSocket-Key2: 3000909100 Q

How can I retrieve gert and passwd?

like image 422
Gert Cuykens Avatar asked Jul 16 '11 02:07

Gert Cuykens


People also ask

How do I authenticate a WebSocket?

Authentication FlowThe client makes a WebSocket handshake request with the external authentication token passed as a query-string parameter in the handshake endpoint URL. The server checks the cache to see if the external authentication token is valid.

How do I add security to WebSockets?

Use wss:// instead of ws://. This adds a security layer over your communication. Use a server like Nginx for reverse proxying websockets and enable SSL over them.

Does WebSocket require SSL?

An SSL certificate is required for the WebSocket WSS (WebSocket Security) protocol to work in production environments that use the HTTPS protocol for the website. If your website uses an SSL certificate, you'll be required to use the WSS protocol for secure communications. There is no way around this.

Does WebSocket require TLS?

The wss protocol establishes a WebSocket over an encrypted TLS connection, while the ws protocol uses an unencrypted connection. At this point, the network connection remains open and can be used to send WebSocket messages in either direction.


2 Answers

is seems like chrome does not pass basic auth data in ws headers indeed. Why not have login/pwd as part of url query string? (and use secure wss)

like image 180
Andrey Sidorov Avatar answered Oct 12 '22 07:10

Andrey Sidorov


The Authorization header was not mentioned in the WebSocket spec until Hybi-13. Chrome implements hybi-00 and hybi-10 (depending on the version of Chrome) so it wasn't a requirement of the implementation.

Now that it's mentioned in the protocol, maybe Google will implement it, but I wouldn't guarantee putting "user:pass@..." in the URI would necessarily be the way to do it, it might require a change to the browser's WebSocket API.

like image 43
Chad Avatar answered Oct 12 '22 06:10

Chad