#1 2015-11-20 16:39:58

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

Websocket server authentication

I'm trying to implement a websockets only notification server which will only receive new notifications and broadcast to all connected clients. I'm using the chat sample code as example: https://github.com/synopse/mORMot/blob/ … er.dpr#L55

But I'm not sure how to implement security on it, I tested with the example code and I can access the methods using http, ex: if I make a GET request on http://localhost:8888/root/NotificationService.Notify it returns result: [].

I was able to add http authentication with:

TSQLRestServerFullMemory.CreateWithOwnedAuthenticatedModel([], 'user', TSQLAuthUser.ComputeHashedPassword('pass'));

But can I run the websocket and https together? As using this method the username and hashed password are exposed on the URL.

What I'd like to do is allow websocket only connection to authenticated clients only (the clients will be all Delphi applications, both the application which notifies and the clients).

Which is the recommended way to implement that?

Last edited by fabioxgn (2015-11-20 16:42:12)

Offline

#2 2015-11-20 17:50:36

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Websocket server authentication

Why not just use Websockets in our binary format, with encryption and compression enabled?

Offline

#3 2015-11-20 18:11:18

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

Re: Websocket server authentication

ab wrote:

Why not just use Websockets in our binary format, with encryption and compression enabled?

That's what I'm doing, but I can make requests using HTTP to urls like: root/NotificationService.Notify and it is executing the methods.

I might be doing something wrong, here's my current code based on the chat sample:

    Server := TSQLRestServerFullMemory.CreateWithOwnModel([]);
    Service := Server.ServiceDefine(TNotificationService, [ICallBackService], sicShared).SetOptions([], [optExecLockedPerInterface]);
   Service.ByPassAuthentication := true;


    HttpServer := TSQLHttpServer.Create('8888', [Server], '+', useBidirSocket);
    HttpServer.WebSocketsEnable(Server, 'my_key');
    writeln('Press [Enter] to quit'#13#10);
    readln;

I might be confusing things as I don't know exactly how websockets work, but as far as I understand this is exposing my interface methods using http on http://localhost:8888/root/ is it not? If I make a request in the browser it hits my code.

Last edited by fabioxgn (2015-11-20 18:31:19)

Offline

#4 2015-11-25 12:16:21

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

Re: Websocket server authentication

Any thoughts about this? Or any way to allow only my Delphi client to call the server methods?

Offline

#5 2015-11-27 14:56:08

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Websocket server authentication

Yes, the interface is exposed over plain http.

This is why "Service.ByPassAuthentication := true" in your code may not be a good idea.

We may check the UserAgent, but it may be easy for a caller to fake it.
What we may do is to force that some service executions may be available only via WebSockets...

Offline

#6 2015-11-30 11:57:52

fabioxgn
Member
Registered: 2015-11-06
Posts: 34

Re: Websocket server authentication

Force the service to be available only via websockets for me is enough, how can I do that?

Offline

Board footer

Powered by FluxBB