i’m on no account a safety engineer , and i’ve barely began my journey as an online developer. Im using a python package deal referred to as django for my backend , react.js for my entrance finish . Not too long ago i’ve included django-channels , which is a package deal that offers me the power to make use of websockets in my challenge. Since i’ve decoupled my entrance and backends , the idea of authentication im utilizing is by way of tokens (will look into utilizing jwt) .
const path = wsStart + 'localhost:8000'+ loc.pathname doc.cookie = 'authorization=' + token + ';' this.socketRef = new WebSocket(path)
doing this permits me to then extract out the token data via using a personalized middleware on my backend .
import re from channels.db import database_sync_to_async from django.db import close_old_connections @database_sync_to_async def get_user(token_key): strive: return Token.objects.get(key=token_key).consumer besides Token.DoesNotExist: return AnonymousUser() class TokenAuthMiddleware: """ Token authorization middleware for Django Channels 2 see: https://channels.readthedocs.io/en/newest/subjects/authentication.html#custom-authentication """ def __init__(self, internal): self.internal = internal def __call__(self, scope): return TokenAuthMiddlewareInstance(scope, self) class TokenAuthMiddlewareInstance: def __init__(self, scope, middleware): self.middleware = middleware self.scope = dict(scope) self.internal = self.middleware.internal async def __call__(self, obtain, ship): close_old_connections() headers = dict(self.scope["headers"]) print(headers[b"cookie"]) if b"authorization" in headers[b"cookie"]: print('nonetheless good right here') cookies = headers[b"cookie"].decode() token_key = re.search("authorization=(.*)(; )?", cookies).group(1) if token_key: self.scope["user"] = await get_user(token_key) internal = self.internal(self.scope) return await internal(obtain, ship) TokenAuthMiddlewareStack = lambda internal: TokenAuthMiddleware(AuthMiddlewareStack(internal))
Nonetheless this has raised some type of safety crimson flags (or so im advised) .
Due to this fact i want to prolong this inquiries to the safety veterans on the market :
- Is this system of sending token authentication data by way of cookie headers protected?
- Is my implementation of this methodology protected?
- Is there a approach to safe this even additional?