mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-12-15 17:31:56 +03:00
02d80c9ac6
* read cookie while initialising websocket connection (fix #1660) * add tests for cookie on websocket init * fix logic for tests * enforce cors, and flag to force read cookie when cors disabled - as browsers don't enforce SOP on websockets, we enforce CORS policy on websocket handshake - if CORS is disabled, by default cookie is not read (because XSS risk!). Add special flag to force override this behaviour * add log and forward origin header to webhook - add log notice when cors is disabled, and cookie is not read on websocket handshake - forward origin header to webhook in POST mode. So that when CORS is disabled, webhook can also enforce CORS independently. * add docs, and forward all client headers to webhook
39 lines
1.1 KiB
Python
39 lines
1.1 KiB
Python
"""
|
|
Sample auth webhook to receive a cookie and respond
|
|
"""
|
|
from http import HTTPStatus
|
|
from webserver import RequestHandler, WebServer, MkHandlers, Response
|
|
|
|
class CookieAuth(RequestHandler):
|
|
def get(self, request):
|
|
headers = {k.lower(): v for k, v in request.headers.items()}
|
|
print(headers)
|
|
if 'cookie' in headers and headers['cookie']:
|
|
res = {'x-hasura-role': 'admin'}
|
|
return Response(HTTPStatus.OK, res)
|
|
return Response(HTTPStatus.UNAUTHORIZED)
|
|
|
|
def post(self, request):
|
|
headers = {k.lower(): v for k, v in request.json['headers'].items()}
|
|
print(headers)
|
|
if 'cookie' in headers and headers['cookie']:
|
|
res = {'x-hasura-role': 'admin'}
|
|
return Response(HTTPStatus.OK, res)
|
|
return Response(HTTPStatus.UNAUTHORIZED)
|
|
|
|
|
|
handlers = MkHandlers({
|
|
'/auth': CookieAuth,
|
|
})
|
|
|
|
def create_server(host='127.0.0.1', port=9876):
|
|
return WebServer((host, port), handlers)
|
|
|
|
def stop_server(server):
|
|
server.shutdown()
|
|
server.server_close()
|
|
|
|
if __name__ == '__main__':
|
|
s = create_server(host='0.0.0.0')
|
|
s.serve_forever()
|