swampdragon-auth icon indicating copy to clipboard operation
swampdragon-auth copied to clipboard

Published 20 hours ago verified publisher icon hagsteel

AndroidAsync (WebSocket) + SD-Auth

Open ZuSe opened this issue 9 years ago • 15 comments

Hi folks,

as part of our project we have an Android App that needs to deal with swampdragon/sockjs-tornado based WebSockets. On client side we use a library called "AndroidAsync" to connect to Websocket. Therefore we stick to the url shema as described by the SockJS protocol (ws(s)://mydomain:port/data/serverid/session/websocket) , not the raw endpoint. Connecting and calling a basic route works like a harm. But we got multiple channels which need user based subscription. Has anyone done it before either on Android or any other mobile operating system? As far as I know swampdragon-auth makes use of the sessionid provided by django. Usually this is not the way to go with mobile Apps. For example, Django RESTFramework provides Token Auth, which might be THE choice for most of the mobile apps where user data is required.

Is there sth. similar provided by swampdragon(-auth) or better does SockJS actually support Token Auth? Are there other ways how to send notifications only to a subset of all online users?

Best, ZuSe

ZuSe avatar May 13 '15 07:05 ZuSe

As a matter of fact @silentninja actually did this:

https://github.com/jonashagstedt/swampdragon-auth/pull/9

You can use token auth with Swampdragon auth

hagsteel avatar May 13 '15 08:05 hagsteel

Can I use both at the same time? Token for the Apps and session for the website?

btw: You should really mention this somewhere in the docs :P

ZuSe avatar May 13 '15 08:05 ZuSe

You know, I haven't actually tried the token one.

From briefly looking at the code it looks like you should be able to mix the token auth with the cookie auth I'd say give it a try and let me know if it doesn't work or if you have any suggestions

hagsteel avatar May 13 '15 08:05 hagsteel

I will.

First I think it should be swampdragon_auth and not swampdragon_tokenauth. Second I lack on a way to enable both connections since SWAMP_DRAGON_CONNECTION does not support a set as input, does it?

ZuSe avatar May 13 '15 09:05 ZuSe

I would write a new connection class where I merge the code between the two of them.

hagsteel avatar May 13 '15 09:05 hagsteel

That's what I wanted to know. So swampdragon lacks on support for multiple auth method support ;)

ZuSe avatar May 13 '15 11:05 ZuSe

Well technically swampdragon doesn't support auth at all out of the box, that's why this package is required.

This seems to be used quite frequently so I might actually merge this into the main code base at some point though.

hagsteel avatar May 13 '15 11:05 hagsteel

Hehe that might be a good idea.

I just tried the token auth, it works when you use the right import and load drf at the top.
I tried to merge the 2 into HttpDataConnection but then it breaks with the session auth, need to spend some more time on it. I think the problem is the handle method of the mixin which provides no fallback to session auth if there is no token given.. am I right on this? Sorry for the stupid questions, but lack a bit on time and need to get in touch with your architecture first :)

ZuSe avatar May 13 '15 14:05 ZuSe

BTW, my merged version can be found here: https://github.com/ZuSe/swampdragon-auth

I think it works, at least I was able to authenticate with cookies from opera (angularjs app) and with token within Simple Websocket Client (Chrome) e.g.: {"route":"invites","verb":"subscribe","args": "auth":"ee61a92468c1d68f0546c8cd92821b0449d5f414","channel":"invites"},"callbackname":"cb_0"}

a[{"context":{"client_callback_name":"cb_0","verb":"subscribe","state":"success"},"data":[],"channel_data":{"action":"subscribe","remote_channels":["invite|invitee_id:7"],"local_channel":"invites"}}]

The only problem with my version, it requires DRF. What's your plan will it be required with version 0.4.3 per default as discussed here https://github.com/jonashagstedt/swampdragon/issues/11 or shall we make it optional?

ZuSe avatar May 13 '15 14:05 ZuSe

I won't make it a requirement, but I am considering making the authentication backend a bit more flexible. It's easy enough to check import errors but I am considering rewriting this and merging this into the main package and have swappable (and multiple) auth backends

It's easy enough to catch the import error if DRF is not present

hagsteel avatar May 13 '15 14:05 hagsteel

Yeah but then you also need to disable token auth and tell the user :P

ZuSe avatar May 13 '15 15:05 ZuSe

I added token auth to see if mixins would work out and if it went well I wanted to implement jwt which would be somewhat similar and then update readme file,got busy with some other work. and couldn't work on it. You could replace the drf model with some other similar alternative(https://pypi.python.org/pypi/django-token/0.1.1) and delete the import exception.

silentninja avatar May 13 '15 21:05 silentninja

Would abstract factory for connection work here or are you planning to make something like django middleware

silentninja avatar May 13 '15 21:05 silentninja

Not sure. Could you elaborate? (I've been churning through tickets all night and I'm a bit frazzled)

hagsteel avatar Jun 13 '15 22:06 hagsteel

jonashagstedt/swampdragon#104

silentninja avatar Jun 18 '15 04:06 silentninja