kazepis
commented
2 years ago Has anyone seen this?
Open kazepis opened 2 years ago
kazepis
commented
2 years ago Has anyone seen this?
smhk
commented
2 years ago hello @kazepis I have certainly seen it !
I love websocket-sharp, but, one has to be able to add an "upgrade" header with a jwt token to use normal modern jwt security
It seems this is still not available ??
kazepis
commented
2 years ago The JWT can be provided either in the request headers or as a url param. Both approaches are equally insecure. I chose the latter being influenced by Microsoft’s signalR.
smhk
commented
2 years ago @kazepis thanks -
I guess with websocket-sharp, we can add a url param with no problem?
It's a shame, things like cloudflare, aws, load balancers etc look for the straightforward "upgrade" header, just like any http request with an "upgrade"
Hello everybody, First of all I would like to say a big thank you to all of this repo developers out there. Thank you for offering this repo to the open source community.
Having said that, I have used websocket-sharp myself for opening web socket connections from web clients to .NET console applications. While developing, the need arose for a web socket server that can authenticate users trying to open the websocket by providing a jwt token in the url e.g.
wss://address/path?token=jwtToken. From what I can tell, the current implementation does not support such kind of authentication so I implemented it myself. I added an event that gets raised during the ws upgrade request, containing the token. Then, the event listener can get the token from the event, validate it and either proceed with the upgrade or close the connection.You can find the relevant commit here: https://github.com/kazepis/websocket-sharp/commit/0060bdb097f7af8650699692bf60c45d248ba6b6 I also upgraded everything to .NET 4.8 for MY needs. The massive diffs were produced because I have different formatting settings. You can easily find the actual change by searching for the event
public event EventHandler<HttpRequestEventArgs> OnWebSocketUpgradeRequest;If this functionality addition is welcome in this repo I would happily make a "clean" pull request. If yes, are there any contributing guidelines I should follow? So please let me know.
Best, N.