mORMot Open Source

Gregory_Les

Member

Registered: 2021-02-22

Posts: 5

TWebSocketServer administration of connections

Hello,

i try to build a simple chat using the SimpleEchoServer project.
This works well but I missing the ability to determine who is allowed to connect.

Is there a possibility to specifically disconnect a user by the server?

---EDIT---
In the event assigned to TWebSocketProtocolEcho.OnIncomingFrame is a reference to Sender: THttpServerResp;
There is a procedure Sender.Terminate;
Im unsure if this is the best way to do this, but it seems to work.

Last edited by Gregory_Les (2021-02-25 10:03:18)

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,548

Website

Re: TWebSocketServer administration of connections

It will terminate the WebSockets thread for sure.
The main WebSockets process loop indeed checks for the Terminated flag, and close the connection when detected.

Gregory_Les

Member

Registered: 2021-02-22

Posts: 5

Re: TWebSocketServer administration of connections

The main WebSockets process loop indeed checks for the Terminated flag, and close the connection when detected.

This sounds like detecting a user who disconnected by himself.
My intention was to kick a User who didn't have permission to join the connection.

In the meantime i found out that the Procedure "HttpServerWebSocketUpgrade"
can prevent a user from login.
With checking for "ORIGIN" and "SEC-WEBSOCKET-PROTOCOL" there are two parameter, that a unwanted user does not know.
It's probably laughable, but at least a sparkle of safety.

Additional it would't be bad to limit the incomming frames per minute or/and the size of binary payload.
Im sure the event TWebSocketProtocolEcho.OnIncomingFrame is too late for checking this, isn't it?

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,548

Website

Re: TWebSocketServer administration of connections

I see two easy solutions:

1/ Add an Authorization: Bearer token - e.g. a JWT - to the request, and overload the OnBeforeBody callback.
Then you check the JWT and reject the request even before the WebSockets is upgraded.

2/ Add some kind of token at the URI level.
Usually, the WS URI is returned from a standard REST service, so it is easy to put a JWT with a short expiration time for instance as part of the URI.

It is very standard from any kind of WebSockets client, and easy to do on JavaScript (especially the 2nd solution, because you can't set a Bearer from a WebBrowser client).

Note that for non-mORMOt clients, you should rather use JSON as frame types, not binary, and that you should encapsulate the WebSockets over HTTPS/TLS, using e.g. nginx as reverse proxy.