-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add authorization for writes #2
Comments
Authorization should probably be handled upstream (e.g. on Nginx / Caddy). But new URL vs existing URL distinction is in wsbroad's purview. Maybe it can support multiple prefixes like Upstream web server (which is needed for Do you find this setup useful? |
yes, this would also work |
I would prefer rw to be able to create, though it's trivial to handle calling new if rw/ is 404 |
RFC: access prefixes.With Letters:
WebSocket messages sent by client connected to With @tarasglek Does this sound reasonable? Are there any missing details / tricky interactions? |
Spec is a bit hard to follow without context in this ticket. Happy to propose easier docs for it once it works.
|
Why short-term? It would be just idling opened WebSocket connection without any sent or received messages.
Currently |
That's not in the spec - write-only clients are supposed to work. Imagine a public endpoint where clients send personally identifiable information. You'll probably want only privileged internal service to read those messages, not clients read each others' messages. |
Reasonable. Maybe there would be a CLI option to adjust that. |
That would slightly complicate the parsing. If go the restriction way, then might as well only allow canonical representations (i.e. no duplicates, only |
ok, overall your spec works well even without my suggestions. Your call on those details. |
Pushed Does it work properly and match your use case? |
|
Have you tried sending multiple messages? Websocat (without |
i can't repro earlier behavior. I think it was lack of -E that confused me. All good to go. |
Hi I really love the convenience of wsbroad.
Would be really nice to deploy wsbroad as cheap and cheerful low-effort pub-sub.
Only thing that's missing would be to add --auth-rw, ideally similarly to miniserve:
In presence of a flag like this clients would get a 404 if they open a url that hasn't been opened by a writer without the right
Authorization:
header.Would be nice to have an equivalent --auth-ro and --auth too.
Hope this isn't out of scope.
The text was updated successfully, but these errors were encountered: