authentication: Websocket connection unauthorized?

rawpython / remi

Python REMote Interface library. Platform independent. In about 100 Kbytes, perfect for your diet.

Apache License 2.0

3.52k stars 403 forks source link

authentication: Websocket connection unauthorized? #152

Open bernhardreiter opened 8 years ago

bernhardreiter commented 8 years ago

When requesting authentication like

   start(MyApp, debug=True, start_browser=False,
          port=9091, websocket_port=50000,
          username='me', password='letmein')

There is a basci auth header send with the http request to the http port, but I do not seen any authentication on the websocket port. What prevents a malicious client from initiating a websocket connection?

nzjrs commented 8 years ago

What prevents a malicious client from initiating a websocket connection?

nothing

nzjrs commented 8 years ago

I have always tried to emphasize remi as a desktop ui alternative, and not a toolkit for people wanting to make websites without learning javascript. In some sense I regret adding authentication at all, as it helps to give such an incorrect impression.

bernhardreiter commented 8 years ago

@nzjrs the other solution is to be very explicit about this and add a huge warning.

Remi as a webapp building application would be attractive so I guess many people will get the idea anyway. In addition I believe that security aspects are interesting for desktop ui use as well.

bernhardreiter commented 8 years ago

Maybe adding basic-auth to the websocket connection would be a reasonable next step.

bernhardreiter commented 8 years ago

Here is a helpful link I've found https://devcenter.heroku.com/articles/websocket-security

simplynail commented 7 years ago

What about using remi as gui/client all the way (with callbacks just modifying the US or sending requests to server) and on the server side having only a Rest API that responds? Wouldn't it solve it?

simplynail commented 7 years ago

I meant 'modifying UI'

nzjrs commented 7 years ago

That would be a rewrite. Might as well wait for server sent events to be more popular.

simplynail commented 7 years ago

No, I mean to have remi gui app running as local server on desktop/client and somewhere on the Web having eg Flask receiving queries and sending json responses

nzjrs commented 7 years ago

What problem are you trying to solve? I'm sorry I don't see the connection to this bug.

On 3 Mar 2017 19:52, "simplynail" notifications@github.com wrote:

No, I mean to have remi gui app running as local server on desktop/client and somewhere on the Web having eg Flask receiving queries and sending json responses

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dddomodossola/remi/issues/152#issuecomment-284038426, or mute the thread https://github.com/notifications/unsubscribe-auth/AACjo2RMCL0G6txicgaXuLBQVu9ATpE2ks5riGFtgaJpZM4KjS__ .

simplynail commented 7 years ago

As You stated before, remi doesn't aim to be a web framework and thus this is not actually a bug. So You are right that this doesn't solve the bug, but maybe it can be sufficient workaround in some cases. That's it.