New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add authentication plugin capabilities to node version of websockify (v2) #285
Conversation
environment variable
ever for demo purposes, never used in any sort of production)
other/js/auth_plugin_examples.js
Outdated
@@ -0,0 +1,90 @@ | |||
/* | |||
* An auth plugin must be a function which returns a function conforing to the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
conforing -> conforming
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in dc31fab
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
other/js/auth_plugin_examples.js
Outdated
* Parse the url path, extract the `token` querystring value, and check if | ||
* it matches the token argument. If verbose is set to true, log messages | ||
* are enabled. | ||
* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "token" query parameter already has a different meaning in the main python implementation which is used for selecting among multiple target hosts: https://github.com/novnc/websockify/wiki/Token-based-target-selection. The python implementation also supports basic authentication via the Authorization header. I think it would be better to have an example of basic auth as that would probably be more generally applicable. But certainly it shouldn't be using "token" for authentication.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replaced token based auth examples with origin-based examples (these being easier to test out using NoVNC than basic auth): a543c35
other/js/websockify.js
Outdated
let plugin_name = auth_plugin_arg.pop(); | ||
let module_path = auth_plugin_arg.join("."); | ||
|
||
let auth_plugin = require(module_path)[plugin_name]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In node it's not unusual for the module itself to have a single export (exports = myFunc). That case should probably be supported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in ff1897e
other/js/websockify.js
Outdated
let auth_source = argv["auth-source"] || undefined; | ||
websocket_server_opts = { | ||
server: webServer, | ||
verifyClient: auth_plugin(auth_source) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about the case (that is symmetrical to the python version) where auth_plugin is a class function and not just a plain function returning the auth function?
I think it would actually be more idiomatic JavaScript to have the auth_source bound as the first argument of an authorizer function rather than generating a new function in the auth_plugin itself. For example:
verifyClient: auth_plugin.bind(auth_plugin, auth_source)
Obviously, the structure of your example authentication function would change (one less layer of abstraction).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in 5c3ac52. The auth plugin can now either be a class with a authenticate
method (similar to the Python version), or a factory function which returns an object with an authenticate
method.
Thanks for the review points, @kanaka . I'll get onto those ASAP. |
How are the fixes going? |
Sorry @CendioOssman , this has been on the back burner for me. I'll get on it this weekend. Thanks for the reminder. |
issue with ws library retiring upgradeReq property
@CendioOssman @kanaka I believe I have addressed all of the review comments now. See what you think. |
@samfrances I would love to be able to review this in detail, but I just haven't been able to find the time lately. @CendioOssman if you have time to do brief review and maybe test it quickly, I have no objection to merging it. @samfrances I guess the only other question I have is if we get issues filed about this functionality are you willing to follow them up? |
@kanaka Certainly happy to follow up on any issues. |
I can try to review it, but right now I'm a bit swamped with other things. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @samfrances. Thank you for working on this! Apologies for the very long response times.
I would like to get this merged. I had a look at your commits and want to ask you to clean it up a bit. It would be nice if we could avoid "correct typo from previous commit"-types of commits.
Also if you add something in one of the earlier commits only to be removed later, you should consider if that first commit was relevant in the first place.
If you can look over your commits I think we can finish this up soon.
@@ -92,7 +93,7 @@ http_request = function (request, response) { | |||
|
|||
var uri = url.parse(request.url).pathname | |||
, filename = path.join(argv.web, uri); | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This white space change is not really close to other modified code. I would prefer if you could move it to a separate commit
other/js/auth_plugin_examples.js
Outdated
@@ -0,0 +1,90 @@ | |||
/* | |||
* An auth plugin must be a function which returns a function conforing to the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
other/js/auth_plugin_examples.js
Outdated
* a token provided as the argument to the --auth-source command line | ||
* argument | ||
* a token provided as the argument to the `--auth-source` command line | ||
* argument. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you squash the changes from this commit (22ffd2c) into the commit that originally introduced these comments please
other/js/password.txt
Outdated
@@ -1 +0,0 @@ | |||
passpass12 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
other/js/websockify.js
Outdated
var clientAddr = client._socket.remoteAddress, log; | ||
console.log(upgradeReq ? upgradeReq.url : client.upgradeReq.url); | ||
console.log(req ? req.url : client.req.url); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should rebase your changes on master to avoid commits like this one
Closing, as this was from a while ago and I don't think I'll have time to do the requested changes. |
Duplicate of pull request #282 , but without the unwanted merge commits.
I have adapted the node.js version of Websockify, to take advantage of the
ws
library's authorization capabilities. Authorisation plugins can now be specified using the--auth-plugin
and--auth-source
command line arguments.--auth-plugin
specifies the<module>.<member>
function to use as an auth plugin.--auth-source
provides additional configuration as a string, which is passed as the first argument to the plugin function. This command line interface mirrors that in the Python version of websockify.Authorisation plugins are functions that take a
source
argument, and return a function that can be used as theverifyClient
option to thews.WebSocket.Server
class from https://github.com/websockets/ws.The following abridged extract from the
ws
module documentation at https://github.com/websockets/ws/blob/master/doc/ws.md should clarify: