-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie based authentication for websocket connections #231
Comments
@phanimahesh, this is a good idea:) Do your write Erlang? Please read emqttd_ws_client.erl that the module could get cookie from HTTP Upgrade request |
I am working in elixir but can read erlang. I have read Should the |
@Erylee I need some suggestions:
What about whitelisting allowed origins for websocket connections, either by using a CORS header or otherwise? |
@phanimahesh, If I add a 'cookie' field to 'mqtt_user' record, will it work for your project? |
Do you mean If the cookie is available in the auth plugin hook in any way, it works for our project. If you are planning on modifying any of the records, it may be a better idea to pass on all headers as a map or proplist. If someone uses custom headers or let's say http basic auth, this will cover all such scenarios. We need this asap, and are planning to do it ourselves tomorrow. We can send a pull request for this tomorrow if it is okay with you. |
@phanimahesh, I create a branch for this issue:) and submit a quick fix. Please check it now. Branch: https://github.com/emqtt/emqttd/tree/issue%23231 Commit: bb02ced |
Looks great! However, I think including a full list of headers is a good idea. What if someone later wants to authorize using bearer tokens or basic auth? I was thinking along the lines of Headers = mochiweb_request:get(headers,Req),
Header_list = mochiweb_headers:to_list(Headers),
ProtoState = emqttd_protocol:init(Peername, SendFun, [{ws_initial_headers, Header_list}|PktOpts]), in |
@phanimahesh, It's awesome:) I merge the pull request to 0.10.0 release. Thanks. |
Thanks! :) |
@emqplus This is no longer possible with emqx3.0. Was it removed intentionally or accidentally? Will you accept a PR adding it back? |
@phanimahesh Sorry, because we have migrated webserver from mochiweb to cowboy, so it was removed accidentally. Welcome for your PR ! |
This feature has been implemented in emqx 3.1-rc.2. |
Hey I read @phanimahesh PR and from what I understood, the headers has been added into the ClientInfo therefore the cookies are in the ClientInfo as well. But where is it used concretely? How can I use it with the different auth plugins? If I read the emqx-auth-http docs, I can't see the headers, neither cookies as params. I went further and I tried to read the erlang code with my really basic understanding of it. I think it the params could be added here https://github.com/emqx/emqx-auth-http/blob/master/src/emqx_auth_http_cli.erl#L78 adding a line in the map to pass the sessionId (the name could be specified in the config). Or maybe forward the cookies? I saw as well a feature request here: #2676. @gilbertwong96 What where you thinking to do for emqx_auth_cookie? Would it check if the session_id is present in a certain table (SQL request) or make an HTTP call? In this page(https://docs.emqx.io/broker/latest/en/introduction/checklist.html) I can see 'Browser cookie authentication'. I'm sorry but I'm a bit confused if this is possible to achieve or not and how. I'm happy to contribute but I might need some guidance to decide where and how to implement it. |
Hey @HJianBo thanks! I think, you're right, it might be better to create another issue |
Is it possible to authenticate websocket connections from the cookie in initial HTTP Upgrade request? I haven't found any simple way to do it.
The text was updated successfully, but these errors were encountered: