Authorization using Basic Http Auth

[boraozgen]

I am using the WS server library. There is a setAuthorization function that expects Basic HTTP creditentials, however I could not manage to make use of it since browser websocket plugins do not support additional authorization headers. How can I secure the WS server with a username and password? Thank you.

[Links2004]

Basic Http Auth authorization is supportet by the native wswebsocket of any browser.
simple do: "ws://user:pw@IPofESP/"as url.

if this not possible, a link to the browser websocket plugins you are talking about helps to find a way.
if still not possible you can implement you own authorization on top the websocket connection.

[boraozgen]

Well here is the ESP code:

webSocket.setAuthorization("admin","1234");
webSocket.begin();
webSocket.onEvent(webSocketEvent);

Here is my JS code:

var wsUri = "ws://admin:1234@10.0.0.160:81/";
websocket = new WebSocket(wsUri);
...

Here is the request generated by Mozilla:

GET / HTTP/1.1

Host: 10.0.0.160:81

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Sec-WebSocket-Version: 13

Origin: null

Sec-WebSocket-Extensions: permessage-deflate

Sec-WebSocket-Key: 8Be+3dMhyTY1VFLLKI4Akw==

Connection: keep-alive, Upgrade

Pragma: no-cache

Cache-Control: no-cache

Upgrade: websocket

And the response from ESP is a 400 Bad Request with the payload:

This is a Websocket server only!

[Links2004]

Please enable the debug output and post the results here.

1. Set debug port in IDE Menu
2. enable debug for Websockets (https://github.com/Links2004/arduinoWebSockets/blob/master/src/WebSockets.h#L30)

[boraozgen]

The browser does not seem to send any authorization headers.

[WS-Server][0] new client from 10.0.0.71
[WS-Server][0][handleHeader] RX: GET / HTTP/1.1
[WS-Server][0][handleHeader] RX: Host: 10.0.0.160:81
[WS-Server][0][handleHeader] RX: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
[WS-Server][0][handleHeader] RX: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[WS-Server][0][handleHeader] RX: Accept-Language: en-US,en;q=0.5
[WS-Server][0][handleHeader] RX: Accept-Encoding: gzip, deflate
[WS-Server][0][handleHeader] RX: Sec-WebSocket-Version: 13
[WS-Server][0][handleHeader] RX: Origin: null
[WS-Server][0][handleHeader] RX: Sec-WebSocket-Extensions: permessage-deflate
[WS-Server][0][handleHeader] RX: Sec-WebSocket-Key: c4/Tm+5s3/6Jxag5NDB6jA==
[WS-Server][0][handleHeader] RX: Connection: keep-alive, Upgrade
[WS-Server][0][handleHeader] RX: Pragma: no-cache
[WS-Server][0][handleHeader] RX: Cache-Control: no-cache
[WS-Server][0][handleHeader] RX: Upgrade: websocket
[WS-Server][0][handleHeader] Header read fin.
[WS-Server][0][handleHeader]  - cURL: /
[WS-Server][0][handleHeader]  - cIsUpgrade: 1
[WS-Server][0][handleHeader]  - cIsWebsocket: 1
[WS-Server][0][handleHeader]  - cKey: c4/Tm+5s3/6Jxag5NDB6jA==
[WS-Server][0][handleHeader]  - cProtocol: 
[WS-Server][0][handleHeader]  - cExtensions: permessage-deflate
[WS-Server][0][handleHeader]  - cVersion: 13
[WS-Server][0][handleHeader]  - base64Authorization: 
[WS-Server][0][handleHeader] no Websocket connection close.
[WS-Server][0] client disconnected.

[Links2004]

strange, i am sure I have test it like this in Chrome during implementation.
RFC says HTTP Authentication is supported.
https://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-13#section-10.5
https://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-13#section-11.1.2

try to take a look at weckend.

[boraozgen]

I also tried Chrome, but no success. I will be waiting for your response. If it works, please post the JS code of your web app.

[bachi76]

@Links2004 There are actually two issues here.

1. If WebSocketsServer has an auth string set, but the client does not, then WebSocketServer responds with a 400, which imho is wrong and should be 401.

https://github.com/Links2004/arduinoWebSockets/blob/master/src/WebSocketsServer.cpp#L769

if(_base64Authorization.length() > 0) {
        if(client->base64Authorization.length() > 0) {
            String auth = WEBSOCKETS_STRING("Basic ");
            auth += _base64Authorization;
            if(auth != client->base64Authorization) {
                DEBUG_WEBSOCKETS("[WS-Server][%d][handleHeader] HTTP Authorization failed!\n", client->num);
                handleAuthorizationFailed(client);
                return;
            }
        } else {
            ok = false; // <== triggers 400 bad request, but should call handleAuthorizationFailed() instead
        }
    }

2. It really seems that both FF and Chrome do not set the authorsation header when using the ws://user:pass@... form. Sad.

[Links2004]

have done some research, looks like it only work when the page that contains the websocket code use the same Basic out.

some Infos can be found here:
https://bugs.chromium.org/p/chromium/issues/detail?id=123862
they have only partially fixed it, using the same auth then the webpage when there is one.
But for some reason they never Display the credentials box for websockets when they get a 401.