Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sec-Websocket-Protocol response, perhaps with custom upgrader #94

Closed
vladvelici opened this issue Apr 8, 2020 · 3 comments
Closed

Sec-Websocket-Protocol response, perhaps with custom upgrader #94

vladvelici opened this issue Apr 8, 2020 · 3 comments

Comments

@vladvelici
Copy link

vladvelici commented Apr 8, 2020
edited

I'm working on an application that provides updates to logged in users via web-socket. I don't even want the connection to be allowed for non-logged-in users and the way this was solved previously was to use the Sec-Websocket-Protocol header in the original request (setting that to a JWT).

I've added the same thing with centrifuge and added the UserID to centrifuge just fine, but the issue is that I can't make centrifuge reply with the protocol header set, which results in errors like the following:

WebSocket connection to 'ws://localhost:5000/v1/web-sockets-pubsub' failed: Error during WebSocket handshake: Sent non-empty 'Sec-WebSocket-Protocol' header but no response was received

Firefox seems fine with it and everything works well there.

As far as I know (from here) there's no other way to add auth, apart from adding the JWT to the URL but for some reason I'm trying to avoid it. I don't have a clear argument against it but something doesn't seem right to put tokens in the URL. Server and front-end are on different subdomains.

It would be great to have the option to add a customer gorilla *websocket.Upgrader to NewWebsocketHandler(), maybe by passing it as an option to WebsocketConfig. If it's null, the default is used, otherwise the given one.

What do you think?

Or am I thinking about this wrong, is there another way to handle authentication that I'm missing?
@FZambia
Copy link
Member

FZambia commented Apr 9, 2020

@vladvelici hello!

First of all - have you considered using JWT authentication over built-in library JWT support?

I mean that on client side you can set JWT with

centrifuge = new Centrifuge(...);
centrifuge.setToken('<JWT>');

where JWT should follow rules described here - https://centrifugal.github.io/centrifugo/server/authentication/

?

@vladvelici
Copy link
Author

Hi! I didn't actually see that before. I saw some JWT related stuff but I didn't notice it was for exactly this purpose. I probably can remove my auth middleware and just use this instead but it'll have to wait until I make the changes (other pressing issues first).

Thank you for the quick reply!

I don't really need to be able to specify the header anymore assuming the JWT stuff here works as I think it does. I'm closing this issue (I hope that's OK, doesn't seem needed anymore) - thanks again for the reply.

@FZambia
Copy link
Member

FZambia commented Apr 10, 2020

@vladvelici feel free to reopen if it wont work for you. BTW if current JWT format does not fit your case there is also a way to do custom JWT parsing and authentication inside ClientConnecting callback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vladvelici @FZambia