Support for Websocket Denial Response#1478
Closed
paulo-raca wants to merge 9 commits intoKludex:masterfrom
Closed
Conversation
Author
|
Here is a simple demo (Based on FastAPI): (It needs to be executed with hypercorn, as it is the only ASGI server currently supporting this extension) No error:With custom HTTP code:Response body: With uncaught exceptionResponse body: |
This was referenced Feb 8, 2022
a7372ee to
bd1e82e
Compare
It allows returning regular HTTP Response to a websocket request (if the ASGI Websocket Denial Response extension is supported, otherwise just closes with code 403 as before)
bd1e82e to
76c36e3
Compare
The current implementation was broken when used with websockets This URL mapping logic has also been update: - Fixing a few minor bugs - It is now possible to specify the HTTP/HTTPS port mapping (e.g. 80/443, 8080/8443, etc)
- Both classes now share a common superclass, BaseExceptionMiddleware, which takes care of most of the logic - Added ExceptionTypeOrStatusCode and ExceptionHandler to help on typing hints - Error handlers now take a HTTPConnection instead of a Request - Support for WebsocketDenialResponse
76c36e3 to
7955926
Compare
paulo-raca
added a commit
to paulo-raca/starlette
that referenced
this pull request
Mar 3, 2022
When a websocket connection is rejected (e.g., wrong URL, missing permissions, etc), starlette always returns a generic 403 response (triggered by "websocket.close" message) or a generic HTTP500 response (Produced by ASGI gateway if there is an unhandled error) Instead it is better to return useful HTTP error responses using the [Websocket Denial Response ASGI extension](https://asgi.readthedocs.io/en/latest/extensions.html#websocket-denial-response), if it is available This PR makes the following changes: - Added WebsocketDenialResponse class to return a HTTP Response to a websocket request. mapping the ASGI message as appropriate. if the extension is not supported, it just closes the websocket resulting and HTTP 403 like before - Updated testclient to support denial responses. The extension must be explicitly enabled on a connection using `websocket_connect(..., denial_response=True)`, and if a denial response is returned a WebSocketDenied exception is thrown - Refactored testclient code to parse HTTP responses so that it can be reused on websocket denial responses This PR superseeds Kludex#1478 with better documentation and testing support. Unlike the previous PR, it does not update the various middlewares. Instead, I'll create separate PRs for those later, in order to keep this PR smaller
Author
|
Superseeded by #1315 |
Owner
|
Superseded by #1535 actually. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When a websocket endpoint throws an exception (e.g., because of invalid authentication), we currently end with either with a generic 403 response (triggered by "websocket.close" message) or a generic HTTP500 response (if there is an unhandled error)
Instead, it is better to return useful HTTP error responses using the Websocket Denial Response ASGI extension, if it is available
This PR makes several changes in order to support this extension:
WebsocketDenialResponseclass to return a HTTP Response to a websocket request (if the extension is supported, otherwise just closes with code 403 as before)AuthenticationMiddlewareand@requireshave been updated (Fixes Wrong unauthorized WebSocket status code #1362)HTTPSRedirectMiddlewarehas been updatedExceptionMiddlewareandServerErrorMiddlewarehave been updated to take advantage of itBaseExceptionMiddlewaresuperclass was addedExceptionTypeOrStatusCodeandExceptionHandlertypes were added to simplify typing annotationsHTTPConnectioninstead of aRequest