New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthorized handshake hook #137
Conversation
this function could be overriden in an inherited class to perform some base access checking based on path and headers if checking fails NotAllowedToConnect exception should be raised
Thanks for the PR. I recognize that it's very inconvenient to override the handshake method currently. I'd like to think a bit about the best API. Perhaps it would be better to split the |
Sounds like a good idea. |
This is really needed - suppose you want to do OAuth authentication/authorization for your websocket server. Then you either need something like this (but ideally even more control over the response), or you need to copy/paste half the server code :( |
I tried to come up with a more generic API in #154. Would that PR work for your use case? Things are a bit messy because on one side |
To epxand on the "more generic" part: for example my proposal supports returning 401 if authentication info is missing and 403 if authentication info is incorrect. |
Well I looked over your branch and I see two things that bother me: https://github.com/aaugustin/websockets/pull/154/files#diff-a548b853d665035e6e62944845d0a575R133 def read_request_headers(self):
...
self.request_path = path
... But the bigger problem lies here: |
Both issues are correct. I'll come up with a revised proposal. Thanks for your feedback. |
After e58c1ac you should be all set. Let me know if you need anything else! |
This replaces the get_response_status() API which never made it into a release (so there's no backwards incompatibility). Remove a test that depends on get_response_status() being called after check_request(). The extension point must be before check_request() so it can handle regular HTTP requests. Fix #116. Supersedes #202 #154, #137.
This replaces the get_response_status() API which never made it into a release (so there's no backwards incompatibility). Remove a test that depends on get_response_status() being called after check_request(). The extension point must be before check_request() so it can handle regular HTTP requests. Fix #116. Supersedes #202 #154, #137.
This replaces the get_response_status() API which never made it into a release (so there's no backwards incompatibility). Remove a test that depends on get_response_status() being called after check_request(). The extension point must be before check_request() so it can handle regular HTTP requests. Fix #116. Supersedes #202 #154, #137.
I added an authorization hook into the handshake function.
The hook allows you to raise an exception and return 401 to the client.