Verified Commit 32c8ac65 authored by Torsten Grote's avatar Torsten Grote
Browse files

[headless] change websocket authentication from basic auth to token message

parent c12422d9
Pipeline #2738 passed with stage
in 8 minutes and 59 seconds
......@@ -161,21 +161,18 @@ The Briar peer uses a websocket to notify a connected API client about new event
`WS /v1/ws`
The websocket request must use basic auth,
with the authentication token as the username and a blank password.
Immediately after making the connection,
you must send the authentication token as a message to the websocket.
If you fail to do this, you will not receive messages on that socket.
You can test connecting to the websocket with curl:
In JavaScript, it would look like this:
$ curl --no-buffer \
--header "Connection: Upgrade" \
--header "Upgrade: websocket" \
--header "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ==" \
--header "Sec-WebSocket-Version: 13" \
--user "DZbfoUie8sjap7CSDR9y6cgJCojV+xUITTIFbgtAgqk="
The headers are only required when testing with curl.
Your websocket client will most likely add these headers automatically.
var token = "DZbfoUie8sjap7CSDR9y6cgJCojV+xUITTIFbgtAgqk=";
var socket = new WebSocket("ws://localhost:7000/v1/ws");
socket.onopen = function(event) { socket.send(token); };
socket.onmessage = function(event) { console.log(; }
### Receiving new private messages
......@@ -9,7 +9,6 @@ import io.javalin.JavalinEvent.SERVER_START_FAILED
import io.javalin.JavalinEvent.SERVER_STOPPED
import io.javalin.NotFoundResponse
import io.javalin.apibuilder.ApiBuilder.*
import io.javalin.core.util.ContextUtil
import io.javalin.core.util.Header.AUTHORIZATION
import org.briarproject.briar.headless.blogs.BlogController
......@@ -20,6 +19,7 @@ import org.briarproject.briar.headless.messaging.MessagingController
import java.lang.Runtime.getRuntime
import java.lang.System.exit
import java.util.concurrent.atomic.AtomicBoolean
import java.util.logging.Level
import java.util.logging.Logger.getLogger
import javax.annotation.concurrent.Immutable
import javax.inject.Inject
......@@ -85,13 +85,16 @@ constructor(
}"/v1/ws") { ws ->
ws.onConnect { session ->
val authHeader = session.header(AUTHORIZATION)
val token = ContextUtil.getBasicAuthCredentials(authHeader)?.username
if (authToken == token) {"Adding websocket session with ${session.remoteAddress}")
if (logger.isLoggable(Level.INFO)) ws.onConnect { session ->"Received websocket connection from ${session.remoteAddress}")"Waiting for authentication")
ws.onMessage { session, msg ->
if (msg == authToken && !webSocketController.sessions.contains(session)) {"Authenticated websocket session with ${session.remoteAddress}")
} else {"Invalid message received: $msg")"Closing websocket connection with ${session.remoteAddress}")
session.close(1008, "Invalid Authentication Token")
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment