Additional web socket security

Checks that clients are authorized to receive a video stream. An attacker could easily modify client.js to connect to a password protected victim server otherwise.
patrickfuller · Dec 21, 2017 · 2708855 · 2708855
1 parent d9dbaa5
commit 2708855
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/server.py b/server.py
@@ -62,8 +62,11 @@ def on_message(self, message):
 
         # Start an infinite loop when this is called
         if message == "read_camera":
-            self.camera_loop = PeriodicCallback(self.loop, 10)
-            self.camera_loop.start()
+            if not args.require_login or self.get_secure_cookie(COOKIE_NAME):
+                self.camera_loop = PeriodicCallback(self.loop, 10)
+                self.camera_loop.start()
+            else:
+                print("Unauthenticated websocket request")
 
         # Extensibility for other methods
         else: