Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

QWebSocketServer Authorization Mechanism



  • I want to develop a WebSocketServer which can check whether current user can connect to the server or not.
    In my opinion, we can check the HTTP header "Authorization" when QWebsocketServer handshaking with client.

    The way to authorization:

    1. Login with username and password normally via HTTP
      The following request is what our request look like:
      POST /login HTTP/1.1
      Host: foo.com
      Content-Type: application/json
      Cache-Control: no-cache
      
      {
      	"username": "foo",
      	"password": "bar"
      }
      
      And we will get a token from server if login successfully: {"token": "authorization_token"}
    2. Add the token which we received from server to the "handshaking" request
      GET / HTTP/1.1
      Accept-Encoding:gzip, deflate, sdch
      Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
      Authorization:Bearer authorization_token
      Cache-Control:no-cache
      Connection:Upgrade
      Upgrade: websocket
      
      I use Bearer token here for example.
    3. Then check "Authorization" header in Server, if the token is valid, accept connection, otherwith, reject it.

    I simplified 3 steps above into picture.
    alt text

    But I trace the source code, I found there is no way to implement this.
    At line from 405 to 485 in file qtwebsockets/src/websockets/qwebsocketserver_p.cpp is the function: handshakeReceived()

    I recommend to add something in here:

     if (request.isValid()) {
            QWebSocketCorsAuthenticator corsAuthenticator(request.origin());
            Q_EMIT q->originAuthenticationRequired(&corsAuthenticator);
    
            /**
             * Here is start of my code
             */
            if(authenticator != Q_NULLPTR) {
                if(!authenticator->validate(request.headers())) {
                     // header invalid, try to close socket
                }
            }
    
            /**
             * Here is end of my code
             */
    
            QWebSocketHandshakeResponse response(request,
                                                 m_serverName,
                                                 corsAuthenticator.allowed(),
                                                 supportedVersions(),
                                                 supportedProtocols(),
                                                 supportedExtensions());
    

    and the "authenticator" should be a class like this:

    class QWebSocketAuthenticator : public QObject
    {
        Q_OBJECT
    public:
        QWebSocketAuthenticator() {}
        virtual QWebSocketAuthenticator() {}
        virtual bool validate(QMap<QString, QString> headers) = 0;
    }
    

    Those developers who want to check whether to accept this incomming connection or not, just inherit this class and implement validate() function.



  • @FloatFlower.Huang you may want to check for some other authorization options for WebSockects, see this post for instance.



  • @Pablo-J.-Rogina
    Thanks for your reply. But in the article you mentioned said that we can authenticate socket via cookie, or pass authorization header when connecting, but in QWebsocketServer, we can only access "origin" in header, so we cannot authenticate socket before accepting connection.
    Furthermore , I think that authenticating socket after accepting connection is not a good way. Because attackers can initiate a lot of zombie websockets to connect to server, although these "zombie" do anything but they will occupy lots of resources of server.