1. WSS (WebSockets over SSL/TLS).
First I strongly strongly recommend SSL/TLS encryption. Just like https it encrypts the traffic between the client and server. Nothing should be transmitted in plain text to a client. Anyone smart enough to be listening on the connection can probably find out how your websocket protocol is working and take control. For examples on how to create a wss capable server refer to:- NodeJS
- Autobahn Python (Twisted):
2. Query String Authentication
Creating a connection connection to your websocket server by your connection parameters (sometimes a username/password) and appending it as a Query String to the end of the connection: var websocket = new Websocket("wss://rpi?user=Eben&password=Upton");
I don't recommend doing it that way especially if you don't have a secure SSL/TLS connection.
3. CHAP Authentication (Challenge Response Authentication)
I was not liking the query string method and knowing that just securing the channel using SSL/TLS wasn't enough I tried implementing a CHAP authentication routine for my Autobahn WS server on my Pi.
CHAP explained on wikipedia. CHAP is a 3 way handshake:
- Client Connects to the websocket server, server then sends a challenge string (random characters of random or set length) to client.
- Client responds with the hash of the challenge+'shared secret'
- Server calculates the challenge it sent and the 'shared secret' it has locally and compares the client's hash to it's own and either authenticates (adds it to approved clients) or drops the client.
The javascript library I used for SHA256 is found here
4. Basic/Digest/Forms Authentication
Basic/Digest is a common way the web authenticates it's clients. Uses a username and password authentication and there several APIs that support it. Explanation of Digest Auth
This can be done before a connection to the websocket server is made using a post to the server. The server can then add the client to the list of accepted connections.
5. Auth Header
*This only works if the client is NOT a webpage. Just like basic/digest authentication some websocket servers can read custom headers. Through the current web api for websockets you are not able to modify the headers in any way. But your client may able to change his auth header through nodejs, autobahn, and socketrocket
Bonus. Using A Third Party Authentication
One way to authenticate it use a third party authentication service.
- Autobahn's github has an example of using Mozilla Persona,
- Node js' authentication strategies (not with websockets but may be possible to implement)
Please share
Hello, This is Future Dimension,
ReplyDeletewe provide sposync.com to access to your device with
streaming and control using webRTC technology Free.
Only one required app is a web browser - Chromium and
provided python websocket server on RPI.
(tested for Buster and Chromium 72)
You can define the control command and extra security key if needed.
With these inputs, only you can access to your device remotely.
Please contact misdiva1bil@gmail.com
Thanks,
David FDI
Nice Blog. Thanks for sharing with us. Keep Sharing!!
ReplyDeleteDo you want to Buy LCD Photo Displays Online?
Buy LCD Photo Displays Online?