Set up basic websocket server #56
Conversation
|
Something to consider: How to deal with authorization? Currently I don't have a clear view of how authorization currently works in our application. |
|
Very nice! Authentication is still TBD: a the moment we have a password-based system encoding the password in plain text in the JSON transactions on the POST server. We would love to transition to an API key that can only be used to log in for submission (and not for the website) such that a compromised API key would not endanger the data. For the websocket, we might actually authenticate just once when the connection is established (eventually via a simple JSON tuple) and then the server would drop the connection if the user/key is not valid. |
|
One more option: the request to establish the websocket connection (before the protocol upgrade stage) is done as a regular HTTP request. Would it be possible to intercept that header? If so, we might use the Authentication header for the same purpose and accept the protocol upgrade only in case of successful authentication... Something like this could be an easy way: django/channels#903 (comment) |
|
Very nice point, I wasn't aware websockets worked in that way (establish over HTTP before upgrading). This could be an interesting way to work with it. I'll take a look at it. I've also found that channels should be able to plug into our current authentication middleware https://channels.readthedocs.io/en/stable/topics/authentication.html. I'll have a look at both and try to find which works best with our current setup |
|
I think this is the best approach! the custom middleware seems to intercept the HTTP headers (so before the protocol upgrade), then we should have a very clean websocket (basically only data) while all the authentication remains handled by the HTTP part. I am not sure it makes a real difference to use the standard HTTP header or an "Authentication" header (which usually is Base64 encoded)... since all the data will be under SSL it might not really make a difference but just be more intuitive. One point could be where to send the user name: if we send it only in the authentication header (or in another one), this might not be accessible to the process handling the data transmitted so we will have to pass that value somehow (such that, for example, it is added to the database). Otherwise, we might send the API key in the authentication header so authentication is only performed with that (or both user name and API key in the authentication header) and then add also the username in the JSON data transfer so that it is easier to handle in the downstream data processing (basically each JSON block comes with a user name). And, if no API key is fund, we drop the connection altogether and ignore the problem. |
|
I'll try to come back to this next week. The past weeks and this week too have been busy for me. If it suits you we could merge this as is so it's available to the main branch. Then we can create a follow-up issue for the authentication and potentially prioritize it above other work? If you prefer to leave this PR open that's fine too, I wanted to give you an update on how much time I can commit for now. Things should calm down halfway next week for me |
Hello, this PR adds a basic endpoint for the websocket server.
Some things to note:
delfitlm/asgi.py)I've tested this with websocat (
websocat ws://127.0.0.1:8000/ws/echo/). You should be greeted and every message you sent should be sent back to you in a JSON format.From this setup we can create specific endpoints to handle commands and such