Websocket server authentication

fabioxgn · 2015-11-20 16:39:58

I'm trying to implement a websockets only notification server which will only receive new notifications and broadcast to all connected clients. I'm using the chat sample code as example: https://github.com/synopse/mORMot/blob/ … er.dpr#L55

But I'm not sure how to implement security on it, I tested with the example code and I can access the methods using http, ex: if I make a GET request on http://localhost:8888/root/NotificationService.Notify it returns result: [].

I was able to add http authentication with:

TSQLRestServerFullMemory.CreateWithOwnedAuthenticatedModel([], 'user', TSQLAuthUser.ComputeHashedPassword('pass'));

But can I run the websocket and https together? As using this method the username and hashed password are exposed on the URL.

What I'd like to do is allow websocket only connection to authenticated clients only (the clients will be all Delphi applications, both the application which notifies and the clients).

Which is the recommended way to implement that?

Last edited by fabioxgn (2015-11-20 16:42:12)

ab · 2015-11-20 17:50:36

Why not just use Websockets in our binary format, with encryption and compression enabled?

fabioxgn · 2015-11-20 18:11:18

ab wrote:

Why not just use Websockets in our binary format, with encryption and compression enabled?

That's what I'm doing, but I can make requests using HTTP to urls like: root/NotificationService.Notify and it is executing the methods.

I might be doing something wrong, here's my current code based on the chat sample:

    Server := TSQLRestServerFullMemory.CreateWithOwnModel([]);
    Service := Server.ServiceDefine(TNotificationService, [ICallBackService], sicShared).SetOptions([], [optExecLockedPerInterface]);
   Service.ByPassAuthentication := true;


    HttpServer := TSQLHttpServer.Create('8888', [Server], '+', useBidirSocket);
    HttpServer.WebSocketsEnable(Server, 'my_key');
    writeln('Press [Enter] to quit'#13#10);
    readln;

I might be confusing things as I don't know exactly how websockets work, but as far as I understand this is exposing my interface methods using http on http://localhost:8888/root/ is it not? If I make a request in the browser it hits my code.

Last edited by fabioxgn (2015-11-20 18:31:19)

fabioxgn · 2015-11-25 12:16:21

Any thoughts about this? Or any way to allow only my Delphi client to call the server methods?

ab · 2015-11-27 14:56:08

Yes, the interface is exposed over plain http.

This is why "Service.ByPassAuthentication := true" in your code may not be a good idea.

We may check the UserAgent, but it may be easy for a caller to fake it.
What we may do is to force that some service executions may be available only via WebSockets...

fabioxgn · 2015-11-30 11:57:52

Force the service to be available only via websockets for me is enough, how can I do that?

mORMot Open Source

#1 2015-11-20 16:39:58

Websocket server authentication

#2 2015-11-20 17:50:36

Re: Websocket server authentication

#3 2015-11-20 18:11:18

Re: Websocket server authentication

#4 2015-11-25 12:16:21

Re: Websocket server authentication

#5 2015-11-27 14:56:08

Re: Websocket server authentication

#6 2015-11-30 11:57:52

Re: Websocket server authentication

Board footer