search

django / channels

Developer-friendly asynchrony for Django
https://channels.readthedocs.io
BSD 3-Clause "New" or "Revised" License
6.01k stars 793 forks source link

OriginValidator could raise exception/log message for denied connections #2062

Open pztrick opened 7 months ago

pztrick commented 7 months ago

The OriginValidator and AllowedHostsOriginValidator do not currently log anything to stdout/stderr when requests are denied.

API client tools like Insomnia may not set any Origin header when making a websocket request, or users could have their ALLOWED_HOSTS misconfigured, resulting in this output:

WebSocket HANDSHAKING /ws/echo/ [172.20.0.1:51624]
WebSocket REJECT /ws/echo/ [172.20.0.1:51624]
WebSocket DISCONNECT /ws/echo/ [172.20.0.1:51624]

No information is given for why the request was rejected.

The OriginValidator could output an exception to stderr or another logger similar to its HTTP counter-part django.core.exceptions.DisallowedHost. This would result in friendlier output, e.g.:

WebSocket HANDSHAKING /ws/echo/ [172.20.0.1:51624]
> Invalid Origin header: 'example.com:8621'. You may need to add 'example.com' to ALLOWED_HOSTS.
WebSocket REJECT /ws/echo/ [172.20.0.1:51624]
WebSocket DISCONNECT /ws/echo/ [172.20.0.1:51624]
carltongibson commented 7 months ago

Ok, if we used a logger (rather than stdout/stderr) we could do this.