node.js websockets的基本身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6714966/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
basic authentication for websockets
提问by Gert Cuykens
When I create a new websocket using chrome
当我使用 chrome 创建一个新的 websocket 时
new WebSocket('ws://gert:[email protected]:8001/dbname')
The nodejs server receives
nodejs服务器接收
GET /dbname HTTP/1.1
Upgrade: WebSocket
Connection: Upgrade
Host: 127.0.0.1:8001
Origin: http://127.0.0.1:8000
Sec-WebSocket-Key1: ' 5 5) 4 1e a9 9 0 19
Sec-WebSocket-Key2: 3000909100 Q
How can I retrieve gert and passwd?
如何检索 gert 和 passwd?
采纳答案by Andrey Sidorov
is seems like chrome does not pass basic auth data in ws headers indeed. Why not have login/pwd as part of url query string? (and use secure wss)
似乎 chrome 确实没有在 ws 标头中传递基本身份验证数据。为什么不将登录/密码作为 url 查询字符串的一部分?(并使用安全的 wss)
回答by Yogaraj Baskaravel
Chrome was not passing the authorization header as part of upgrade request. That resulted in authentication failure.
Chrome 未将授权标头作为升级请求的一部分传递。这导致身份验证失败。
The issue seems to be fixed in the latest chromium Here
该问题似乎已在最新的 Chromium Here 中得到解决
回答by Chad
The Authorizationheader was not mentioned in the WebSocket spec until Hybi-13. Chrome implements hybi-00 and hybi-10 (depending on the version of Chrome) so it wasn't a requirement of the implementation.
该Authorization头不是在WebSocket的规格中提到,直到Hybi-13。Chrome 实现了 hybi-00 和 hybi-10(取决于 Chrome 的版本),因此它不是实现的要求。
Now that it's mentioned in the protocol, maybe Google will implement it, but I wouldn't guarantee putting "user:pass@..." in the URI would necessarily be the way to do it, it might require a change to the browser's WebSocket API.
既然协议中提到了它,也许 Google 会实现它,但我不保证将“user:pass@...”放在 URI 中一定是这样做的方法,它可能需要更改浏览器的WebSocket API。
回答by Alfred
SSL
安全证书
I found this link on Quora.
I agree you could use SSL and just sent those credentials as first message.
我同意您可以使用 SSL 并将这些凭据作为第一条消息发送。
Socket.io
Socket.io
You could also use socket.io which also has websockets transport to do authorizing
您还可以使用 socket.io 也有 websockets 传输来进行授权
回答by Fabian Jakobs
Chrome does send cookies with websocket connections. If you have a session cookie you can use the session cookie to identify the user initiating the websocket connection.
Chrome 确实通过 websocket 连接发送 cookie。如果您有会话 cookie,您可以使用会话 cookie 来识别发起 websocket 连接的用户。
