1

From a medium article by the creator of Quart: https://medium.com/@pgjones/websockets-in-quart-f2067788d1ee :

Authentication

The ability to control the acceptance is most useful when authorising requests, as it allows the request headers to be checked and either the upgrade accepted or a 401 returned. A simple example is,

def auth_required(func):
    @wraps(func)
    async def wrapper(*args, **kwargs):
        auth = websocket.authorization      
        if (
            auth is not None and
            auth.username == current.app.config['USERNAME'] and
            compare_digest(
                auth.password, current.app.config['PASSWORD'],
            )
        ):
            return await func(*args, **kwargs)
        else:
            abort(401)
    return wrapper

@app.websocket('/ws')
@auth_required
async def ws():
    ...

But how does client-side javascript cause the websocket.authorization attribute to be populated?

var ws = new WebSocket('ws://' + 'user' + ':' + 'pass' + '@' + document.domain + ':' + location.port + '/ws'); appears to have been deprecated in the last couple of years, and custom headers in the HTTP request for a websocket are not supported.

eyllanesc
  • 235,170
  • 19
  • 170
  • 241
jsstuball
  • 4,104
  • 7
  • 33
  • 63
  • 1
    Have you ruled out using a cookie? – pgjones Jan 24 '20 at 21:35
  • Yep I see how to retrieve the cookie now using websockets. But am I correct in thinking the `quart.flask_patch` with `flask_login` can't be used with websockets in Quart? So one way or another I have to roll my own system basically? Set a challenge with expiry etc and keep some state server side? – jsstuball Jan 25 '20 at 20:02
  • 1
    Yea `flask_login` has no concept of websockets so it does nothing on websocket requests. – pgjones Jan 30 '20 at 16:10

0 Answers0