When I create a new websocket using chrome
new WebSocket('ws://gert:[email protected]:8001/dbname')
The nodejs server receives
GET /dbname HTTP/1.1
Upgrade: WebSocket
Connection: Upgrade
Host: 127.0.0.1:8001
Origin: http://127.0.0.1:8000
Sec-WebSocket-Key1: ' 5 5) 4 1e a9 9 0 19
Sec-WebSocket-Key2: 3000909100 Q
How can I retrieve gert and passwd?
Authentication FlowThe client makes a WebSocket handshake request with the external authentication token passed as a query-string parameter in the handshake endpoint URL. The server checks the cache to see if the external authentication token is valid.
Use wss:// instead of ws://. This adds a security layer over your communication. Use a server like Nginx for reverse proxying websockets and enable SSL over them.
An SSL certificate is required for the WebSocket WSS (WebSocket Security) protocol to work in production environments that use the HTTPS protocol for the website. If your website uses an SSL certificate, you'll be required to use the WSS protocol for secure communications. There is no way around this.
The wss protocol establishes a WebSocket over an encrypted TLS connection, while the ws protocol uses an unencrypted connection. At this point, the network connection remains open and can be used to send WebSocket messages in either direction.
is seems like chrome does not pass basic auth data in ws headers indeed. Why not have login/pwd as part of url query string? (and use secure wss)
The Authorization
header was not mentioned in the WebSocket spec until Hybi-13. Chrome implements hybi-00 and hybi-10 (depending on the version of Chrome) so it wasn't a requirement of the implementation.
Now that it's mentioned in the protocol, maybe Google will implement it, but I wouldn't guarantee putting "user:pass@..." in the URI would necessarily be the way to do it, it might require a change to the browser's WebSocket API.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With