I decided to write a websocket chat that he supported text messaging [unlimited number of characters, not like Twitter :)] and file transfer.
Ask this question. How to make banal identification data? That is, when the connection is open, the server is just a set of bytes, and even if there is json, it can be easy to substitute: mark as "message" and send confusing file(since the number of characters is not limited, it will sent to all people users).
That is, briefly, how to discern what comes from the user?
Thanks in advance!
P.S. Transfer files via jquery is not accepted, as the websocket is not protected.
UPD
Any wrote that did not understand a question essence. Explain: 1. There is a chat on tornado WS. 2. In chat can send as text messages and files. 3. I control it with javascript BUT if someone will make a connection and send a file for example, as a message? Clients receives a huge number of "unknown byte". The situation is like this - {'msg': 'Hello, world!!1'}; {'file': a file}. All is well, but it would be a shame if {'msg': a file}. It should be clear ;)
Welcome to SO.
Before I answer your question, allow me to clarify a few points about this site and our community. This is your first question, so maybe you didn't know:
SO (StackOverflow) is not a forum, it's more like both a chat and a library. If you ask a question, you are expected to stay on line for at least an hour or two to check in and give more information if somebody asks you.
If somebody asks for more information, edit the question - don't answer inside the comments (you can add a comment saying that you updated the question, but the question should be edited).
If you are not here to clarify your question, it WILL be closed because there are many people wanting answers and we give priority to the people who are here to respond.
It is important that your questions include information about what you already tried. It is better if your questions include some of the code you wrote when you tried your own solution.
Otherwise, it feels like you are trying to outsource your work to the community - which is a very big No No.
It is important that your questions are clear and that you write in the best English that you can manage.
Please read the comments to see what I mean about the community's expectations.
As for Websocket security:
I do not know what language you work with, so I will write in Ruby because it's easier for me and I think the code will be easier to read.
Websockets start as an HTTP connection which is then "upgraded" to a websocket connection.
Since most applications already have HTTP security / authentication logic that they wrote for the website, it is best to use this same security / authentication logic for websockets.
This is usually done BEFORE the connection is upgraded.
It is true that sometimes people write a new security / authentication logic layer for websockets, but that is not the most effective way to deal with this issue (mainly because messages could be sent to the websocket while authentication is still being processed, which starts a new world of issues and considerations).
Here is an example, using the Plezi framework, that requires authentication before the upgrade. test this example by installing the plezi gem (terminal: $ [sudo] gem install plezi) and running the following code in irb (terminal : $ irb):
require 'plezi'
class WebsocketSecDemo
# pre_connect is called before the upgrade, while still in HTTP mode.
def pre_connect
# return false (refuse the connection) unless the auth logic is okay
return false unless auth_logic
true
end
def on_message data
puts "got #{data}"
response << data
broadcast :ws_write, data
end
def index
"Check this using http://www.websocket.org/echo.html
\r\nConnect to the websocket at ws://localhost:3000/
\r\nTo authenticate, visit http://localhost:3000/login
\r\nTo un-authenticate visit http://localhost:3000/logout"
end
def login
cookies[:my_auth] = true
redirect_to :index
end
def logout
cookies[:my_auth] = nil
redirect_to :index
end
# protected methods aren't available to the HTTP router.
protected
def ws_write data
response << data
end
# The worst auth logic in the history of man kind...
def auth_logic
cookies[:my_auth] == true
end
end
Plezi.listen
Plezi.route '/', WebsocketSecDemo
# exit the terminal to start the demo
exit
Now visit:
localhost:3000 - for instructions
localhost:3000/login - to authenticate
localhost:3000/logout - to remove authentication
Also use www.websocket.org/echo.html a few times to try and connect to the websocket at ws://localhost:3000/ - try this:
before authentication;
after authentication (login); and
after you 'logout'...
Good Luck!
Related
So I'm doing this python basics course and my final project is to create a card game. At the bottom of the instructions I get this
For extra credit, allow 2 players to play on two different computers that are on the same network. Two people should be able to start identical versions of your program, and enter the internal IP address of the user on the network who they want to play against. The two applications should communicate with each other, across the network using simple HTTP requests. Try this library to send requests:
http://docs.python-requests.org/en/master/
http://docs.python-requests.org/en/master/user/quickstart/
And try Flask to receive them:
http://flask.pocoo.org/
The 2-player game should only start if one person has challenged the other (by entering their internal IP address), and the 2nd person has accepted the challenge. The exact flow of the challenge mechanism is up to you.
I already investigated how flask works and kind of understand how python-requests works too. I just can't figure out how to make those two work together. If somebody could explain what should I do or tell me what to watch or read I would really appreciate it.
it would be nice to see how far you've come before answer (as hmm suggested you in a comment), but i can tell you something theorical about this.
What you are talking about is a client-server application, where server need to elaborate the result of clients actions.
What i can suggest is to learn about REST API, that you can use to let client and server to communicate in a easy way. Your clients will send http requests to server exposed APIs.
From what you wrote, you have a basically constraints that should be respected during client and server communication, here reasumed:
Someone search for your ip and send you a challenge request
You have received a challenge that you refuse or accept; only if you accept the challenge you can start the game
As you can see from the project specifications the entire challenge mechanism is up to you, so you can decide the best for you.
I would begin start thinking to a possible protocol that make use of REST API to start initial communication between client and server and let you define a basic challenge mechanism.
Enjoy programming :).
Premise: I am a beginner in search for an easy way to send bug reports from users over sea.
I've made a script for some friends that are living on the other side of the sea (US - EUROPE)... I will like to gather automatic bug reports whenever they happen. So my first idea was to send myself an email with the smtplib module. It works fine when testing home, but as soon as the sender "sends", my email provider (gmail) blocks the connection because of course, its from an "unknown device". I've already enabled "Allow less secure apps" as someone suggested but with no avail.
What I am searching its a simple way of dealing with this.
Yes I could make the script to ignore the error if the email its not being sent, and then go into my google account and enable those devices so at least it will work from the second run..
But it doesn't seem what a programmer would do in this case. I am learning so a solution withing the language is what I am after.
A different provider that has no restriction its also a good start but I tried Yahoo, Live, Yandex but I couldn't make them work. Are there any?
So my question is: how others do? what is the best solution for some one like me?
I've read about sentry or other error/bug tracking but its obviously way too much for want I need
You should certainly not incorporate e.g. Gmail credentials in the code that is remotely executed on devices you do not control, given I understand correctly the Gmail less secure device issue happens as every "user" is running this code and using your credentials. This holds true for any other provider.
Now this won't exactly be simple but one way to go about it would be to create a server side API endpoint that can accept HTTP(s) or any other protocol requests that then will authenticate in a little more secure way on the server side with Gmail.
The concept for emails is:
Bug > Python Script > API call > Email
This could be implemented using Python on the API side (Flask e.g.) using an AWS Lambda Function with Amazon API Gateway, but again that is something to get through and understand by itself which will take a good chunk of time.
You need to touch a lot of concepts, like auth tokens to make this really secure.
Could you elaborate a little on where the code needs to run and if you are willing to try AWS or any other cloud provider, or would have access to an internet connected server ? This makes it easier to provide you with a full example on the solution in a hackish way while I would highlight the problems you could face on the security side.
I understand that this is not the way to go but as for my needs and my level of experience it works for me!
Yandex allows you to send email from different ip so Yandex is the way to go. What I was doing wrong in the first place was to use the wrong port (587 instead of 465)
I'm wondering how to achieve that nice feature I see on many websites today: when having conversations on social networks like Facebook or Linkedin, you can always answer an online message or status (which is not an email), by answering the email notification you receive. How do they achieve that?
As far as I can tell, I'd see two options:
Configure a mail server to fetch the emails and transmit the information to a Python (in my case) script to handle the data and save a database record that can be simply displayed afterwards on the website
Have a Python script running in the background, checking the mail server for incoming emails every few seconds (via pop3 or something)
Is there any other option? Has somebody already implemented this? What are the main pitfalls to look at? I'm asking this because I'd like to implement something similar on a web application I'm currently working on.
Thanks!
J
EDIT: I found this link which partially answers my question already: Django/Python: email reply is updated to site
I too am working on something similar and finding this https://github.com/pinax/django-notification useful. Check it out, you'll get an idea how to implement what you want.
Example scenario: Web based multi-user chat application through websocket connection. How can I ensure (or guarantee) that each connection in this application belongs to certain authenticated user and "can't be" exploited by false user impersonation or intervene during the connection.
by the way I am using tornado websocket on server side to implement basic chat room and already doing authentication for the non-websocket part of my app.
ps : suppose authenticated user posts what he wants and when other user open the listing page of item and automatically other user is added to list of websocket listeners what I want each user able to chat with buyer of the item individually not in a chatroom way but with one to one chat
First and foremost, there are two things you should remember about WebSockets: (a) it's an evolving standard and (b) it is designed with the intention of working with untrusted clients.
The biggest and most important thing you should always do with WebSockets is check their origin. If the origin is mismatched, obviously you don't want to deal with that client, so ignore their requests. Additionally, make sure you're using the "wss" secured WebSocket protocol rather than the "ws" unsecured protocol. This will ensure that your messages are encrypted.
The problem with just doing this, is that this information can be spoofed. See this blog post for a quick demonstration of this.
Additional Security:
Try sending a salted token, having it salted/hashed and sent back and validated in the handshake phase.
Limit requests that happen too frequently (just like the IRC protocol). If the user has submitted 10 lines or more within the span of a second, ignore that user.
Do a quick spam-check (there are lots of algorithms for this) -- stick to light heuristics, otherwise it will burden your server. Things like the presence of the words "free" or "viagra". Give the user a score that represents the likelihood that they are spamming or are a bot. When that is breached, boot them from the servers.
Hope that helps! Sorry if it doesn't. This is my frist answer on StackOverflow. :P
I'm pretty sure the websocket connection sends up any cookies that have been established in the non-websocket connection to your app. You should be able to query Django's session store for the connection's cookie and determine the user that socket belongs to.
Check out: https://docs.djangoproject.com/en/1.3/topics/http/sessions/#configuring-the-session-engine
This is the whole purpose of websocket connection. You authenticate them by handshaking protpcol. For further info see here:
https://datatracker.ietf.org/doc/html/draft-ietf-hybi-thewebsocketprotocol-08
I'm using the xmpppy library to write an XMPP client that can chat with users. It has its own XMPP user account and needs to know if a given user is online. However, the documentation is a bit sparse on how to do this. What would you recommend?
The only solution I've seen thus far is to start up a daemon before the XMPP server starts and monitor all presence messages that are sent out - then a user is said to be online if they've sent the "I'm online"-type message but not the corresponding "I'm logging off" message. However, being new to XMPP in general, I would think there would be a nicer way to do this.
The simple way is to support "subscribe" presence message -- this lets another user check if you're currently present (if they don't already know) by a "subscribe" attempt. Check this useful guide to get started, and the standard for many more important details (esp. on protecting your privacy, if needed, from subscribe requests from user you don't know).
There are basically three ways to connect to an XMPP server: as a client (which you've done), as a component, and as another server. The server-to-server type (s2s) is just a federated connection, very much like how mail servers exchange email with each other.
Alex described how clients keep track of presence. XMPP requires me to approve that you can receive my presence information and vice versa. For your bot this means for you to keep track of who's online the end users need to accept your presence requests. It also means that you can respond to the user's presence requests and keep them informed about if your bot is up or not.
The last way is as a trusted component, and only works if you're running the server. i.e. if you're trying to do this on the jabber.org server, you're out of luck, because you're not running that server. The upsdie is you can have access to the internals of the XMPP server, like pulling lists of everyone who's online. The downside is your component / bot implementation is going to be different for every server implementation.