Bug 1410253 - Expose websocket authorization headers through the node proxy
Summary: Expose websocket authorization headers through the node proxy
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Routing
Version: 2.x
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Timothy Williams
QA Contact: zhaozhanqi
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-04 22:20 UTC by Timothy Williams
Modified: 2018-03-22 22:54 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-03-22 22:53:04 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Timothy Williams 2017-01-04 22:20:23 UTC
Description of problem:
The websocket protocol RFC6455 allows the http basic auth 'authorization' header:

12.  The request MAY include any other header fields, for example,
        cookies [RFC6265] and/or authentication-related header fields
        such as the |Authorization| header field [RFC2616], which are
        processed according to documents that define them.

Additionally, On page 19, RFC6455 also says:

1.  If the status code received from the server is not 101, the
       client handles the response per HTTP [RFC2616] procedures.  In
       particular, the client might perform authentication if it
       receives a 401 status code; the server might redirect the client
       using a 3xx status code (but clients are not required to follow
       them), etc.  Otherwise, proceed as follows.

The node-web-proxy currently does not pass the 'authorization' header for websocket connections.

How reproducible:

Steps to Reproduce:
1. Deploy a nodejs-0.10 app using the following quickstart:
    # rhc app-create wstest nodejs-0.10 --from-code=https://github.com/tiwillia/openshift-nodejs-http-and-websocket-example
   The quickstart has been modified to log the websocket request headers when a connection is made.

2. Use the `wscat` tool, provided through npm, to create a connection and pass authorization parameters to the nodejs application:
   # npm install wscat
   # wscat --auth "user:pass" --connect ws://wstest-namespace.dev.rhcloud.com:8000

3. Check the logs of the application after the connection is made with `rhc tail`. The authorization header should be included in the list received by the websocket server. 

Actual results:

Below is an example output from the logs of the sample application:

New connection:
{ connection: 'Upgrade',
  upgrade: 'websocket',
  host: '',
  'sec-websocket-version': '13',
  'sec-websocket-key': 'MTMtMTQ4MzU2NzYzNTgxMA==',
  'user-agent': 'undefined',
  'x-forwarded-for': '',
  'x-client-ip': '',
  'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits' }

Note the lack of an 'authorization' header in the list.

Expected results:

New connection:
{ connection: 'Upgrade',
  upgrade: 'websocket',
  host: '',
  'sec-websocket-version': '13',
  'sec-websocket-key': 'MTMtMTQ4MzU2NzYzNTgxMA==',
  'user-agent': 'undefined',
  'x-forwarded-for': '',
  'x-client-ip': '',
  authorization: 'Basic dGl0cmJhbGxz',
  'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits' }

Note the 'authorization' header in the list.

Additional info:

This should be fixed with https://github.com/openshift/origin-server/pull/6444

Comment 1 Abhishek Gupta 2018-03-22 22:54:26 UTC
The referenced PR was merged at that time.

Note You need to log in before you can comment on or make changes to this bug.