Skip to content

Security for WebSockets #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
dmgav wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

Security for WebSockets #77

dmgav wants to merge 9 commits into from

Conversation

@dmgav
Copy link
Contributor

@dmgav dmgav commented Dec 9, 2025
edited
Loading

Implementation of websocket security. The clients must authenticate with the server when connecting to the websocket. If authentication fails, then the connection is immediately closed. Clients can authenticate with the server using API keys. The authentication scheme is identical to the scheme used for other API endpoints. If the client is using tokens, it must request a short-lived API key from the server and use it to establish the connection. Once connection is established, the key should be revoked.

The websockets implemented in #74 are not secured. The security is added in this PR.

Summary of Changes for Release Notes

Added

  • Security for websockets (support for authentication using API keys).

How Has This Been Tested?

Unit tests were added.

@dmgav dmgav changed the title ENH: security for websockets Security for WebSockets Dec 9, 2025
danielballan
danielballan reviewed Dec 11, 2025
View reviewed changes
bluesky_httpserver/authentication.py Outdated
auth_header = websocket.headers.get("Authorization", "")
access_token, api_key = None, None
if auth_header.startswith("Bearer "):
access_token = auth_header[len("Bearer") :].strip()
Copy link
Member

@danielballan danielballan Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For what it's worth, we chose not to support these in Tiled because there is no mechanism for the server to request that they be refreshed, since it cannot send HTTP response codes.

Instead, the client mints a short-lived API key and revokes it after the connection is formed.

Copy link
Contributor Author

@dmgav dmgav Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense. It should be possible to implement a refresh scheme when a token is validated by sending a plain HTTP request in case connection to a websocket fails and then refreshed if requested by the server, but it does not look like a standard approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielballan danielballan danielballan left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmgav @danielballan