Fork me on GitHub
Drew Verlee00:08:28

I ended just restricting the origin, which seemed easier to implement and just as secure. Maybe that token was a method before that was an option? Unclear.

Dave Russell09:08:54

Not sure if this relates to your immediate problem but > the login depends on the websocket connection The origin is forgeable for websocket connections 🙂

Drew Verlee13:08:20

@U01BP1CB37B What i think is being protected by the server checking the origin is an http upgrade to ws request with a different (malicious) origin, that could exposed auth information in cookies. > The origin is forgeable for websocket connections Can you be explain more? I turned off the token because it was throwing errors for reasons i haven't gotten around to understanding, if you think that causes an issue i would love to know.

Dave Russell14:08:08

Sure -- I don't really have the context for your immediate problem but here's some reading that may be interesting 🙂 > However, remember that the Origin header is essentially advisory: non-browser clients can easily set the Origin header to any value, and thus “pretend” to be a browser. Meaning that if you're using the Origin header as some kind of security check on your backend, it can easily be forged by a malicious client

Drew Verlee14:08:00

interesting, this is frustrating because of the massive amount of emphasis put on the origin.

Drew Verlee14:08:18

i really should just use keycloak and just follow instructions verbatim.

Drew Verlee14:08:28

could a non-browser client make a get request and get all the session cookies though?

Drew Verlee14:08:54

Yea, i think it's safe. the malicious client can spoof the origin, but it won't get the cookies then, because it's not making the request from the browser which has them.

Drew Verlee14:08:06

i mean, i would like to add the token, it's frustrating that i can't figure out why it's failing. But i'll circle back to it...

Drew Verlee14:08:08

I added a comment to the old on senti about the concern, just to see if anyone can clarify.

Drew Verlee14:08:56

For my use case, this bit summarizes the whole thing nicely: > A non-browser client, however, cannot access the session cookies stored in your browser. Even if the attacker spoofs Origin, their request will be denied because they’re not authenticated. > from