Use access token to authenticate WebSocket connections #200
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Marked as WIP because this doesn't actually work yet. I'm debugging the backend code to find out why. |
Codecov Report@@ Coverage Diff @@
## master #200 +/- ##
==========================================
+ Coverage 74.78% 75.02% +0.23%
==========================================
Files 111 112 +1
Lines 5585 5665 +80
Branches 905 919 +14
==========================================
+ Hits 4177 4250 +73
- Misses 1408 1415 +7
Continue to review full report at Codecov.
|
Supply the access token to the WebSocket via a query param. This method is used to send the token because the WebSocket constructor does not allow setting custom headers. See hypothesis/product-backlog#154 for context. An alternative that was tried initially was embedding a username and password in the URL via `wss://user:password@host/` syntax but that turned out not to be supported by IE/Edge and required the server to fail the initial request with a 401 response. Fixes hypothesis/product-backlog#126
a4fb8cc to
039d867
Compare
|
Following investigation of the different methods available for authenticating the WS endpoint, this has been updated to send the access token via a query param in the WS URL instead of a username/password in the URL. See Slack discussion |
Send a "whoami" request [1] after connecting to query the authenticated user ID for the WS connection. This makes it easy to check that authentication for the WS worked as expected by inspecting the frames of the connection in the devtools. [1] http://h.readthedocs.io/en/latest/realtime/#whoami
* master: Remove auth => session dependency
|
merged master in |
sean-roberts
approved these changes
Jan 30, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In order to support clients using an OAuth access token rather than a cookie for authentication everywhere, this PR adds the access token to the URL when connecting to the WebSocket. A backend change (hypothesis/h#4330) will allow the WS server to extract the auth token and use it for authentication.
Since token fetching is asynchronous, this means that
Streamer.{connect, reconnect}also now become asynchronous since they have to fetch the token before initiating the connection. They now return a void Promise once auth token has been retrieved and the connection has been initiated.We are including credentials in the URL rather than a custom header because the browser
WebSocketAPI does not support setting custom headers for the initial handshake request. See hypothesis/product-backlog#154 for further discussion.