𝗧𝗵𝗲 𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁 𝗔𝘂𝘁𝗵 𝗣𝗿𝗼𝗯𝗹𝗲𝗺: 𝗖𝗼𝗼𝗸𝗶𝗲𝘀 𝘃𝘀. 𝗕𝗲𝗮𝗿𝗲𝗿 𝗧𝗼𝗸𝗲𝗻𝘀

📅2 weeks ago⏱1 min read

Do you build real-time apps? You often struggle with WebSocket authentication.

HTTP authentication is simple. You use a cookie or a Bearer token. WebSockets are different.

A WebSocket starts with an HTTP GET request. This is the handshake. The browser WebSocket API does not allow custom headers. You are unable to add an Authorization header.

Common workarounds fail:

Query parameters leak tokens in server logs.
First message auth adds latency.
Subprotocols feel clunky.

Use HTTP-only cookies. The browser attaches these automatically to the handshake.

Your client code stays simple. You do not need interceptors or wrappers.

The backend requires a few extra steps. You receive a raw request object. You must parse the cookie string manually.

The process is simple:

Parse the raw cookie header.
Verify the JWT signature.
Link the user ID to the socket.

HTTP-only cookies remove friction. You avoid leaking tokens and reduce logic complexity. You trade a bit of backend parsing for a better security posture.

Source: https://dev.to/nikhilsharma6/the-websocket-auth-problem-cookies-vs-bearer-tokens-4eel

𝗧𝗵𝗲 𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁 𝗔𝘂𝘁𝗵 𝗣𝗿𝗼𝗯𝗹𝗲𝗺: 𝗖𝗼𝗼𝗸𝗶𝗲𝘀 𝘃𝘀. 𝗕𝗲𝗮𝗿𝗲𝗿 𝗧𝗼𝗸𝗲𝗻𝘀

Continue reading

𝗧𝗵𝗲 𝗠𝗶𝘀𝘀𝗶𝗻𝗴 𝗗𝗡𝗦 𝗔𝗻𝗰𝗵𝗼𝗿

𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁 𝗔𝘂𝘁𝗵: 𝗖𝗼𝗼𝗸𝗶𝗲𝘀 𝘃𝘀 𝗕𝗲𝗮𝗿𝗲𝗿 𝗧𝗼𝗸𝗲𝗻𝘀

𝗙𝗿𝗼𝗻𝘁𝗲𝗻𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗕𝗲𝘀𝘁 𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀

𝗕𝘂𝗶𝗹𝗱𝗶𝗻𝗴 𝗔 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝘁 𝗥𝗲𝗮𝗹 𝗧𝗶𝗺𝗲 𝗖𝗵𝗮𝘁 𝗦𝘆𝘀𝘁𝗲𝗺

FastAPI 中的 JWT 身份验证