The -t options does not take an argument. There are two security mechanisms. The key and the token. The key is unique and required. It is used to encrypt communications bewteen the web2py server and the websocket server. You set a key with -k <key>. The token mechanism is optional. It is enabled with -t and it is designed to prevent arbitrary clients to connect to the websocket. Each client must have a unique token and pass it in the ws:// connection string when it connects. If it up to you to make up tokens. They can be random numbers, uuid, etc. You have to give a token to the clients and you have to register the tokens with websocket_server via the /token api.
On Wednesday, 15 July 2015 08:51:18 UTC-5, Samuel Sowah wrote: > > > > On Wednesday, July 15, 2015 at 8:53:35 AM UTC, Massimo Di Pierro wrote: >> >> This logic was added somewhat recently and I did not test it myself but >> reading the code it seems it should work this way: >> >> 1) run websocket_messaging.py -t to enable the token message >> 2) post a message to the /token API with a message containing a made up >> UUID token. This will create a token on the server >> 3) when connecting instead of >> >> ws://127.0.0.1:8888/realtime/mygroup >> >> >> use >> >> >> ws://127.0.0.1:8888/realtime/mygroup/<token> >> >> >> because of -t , the <token> must match one of the registered token and no >> other client must be using it for a connection. Notice that in 2 the /token >> api is meant to be called by the web2py server. Works like the post >> handler. The message is supposed to be created and signed using the server >> password. >> >> >> The idea is when a new cllient accesses the web app, the server create a >> on time token for that client, gives it to the client (via normal web2py >> means, embedding in the pages, etc.) and registers it with the >> websocket_server. The latter then checks the token when the client tries to >> connect. >> >> > I don't understand how this happens? The token that I use to start the > websocket_messaging.py via -t option, that token doesn't change, so which > token does the server create to give to the client, and how does it > register it with the websocket_server. Are the tokens unique for each > client? and if so how are they generated and registered to allow > communication? how different is the token for the -t option from the token > the server creates? I'm a bit confused how to use this. The english makes > sense but the technicality behind it is still fuzzy. Like, from what I > understand, the server creates a token when the client first connects and > gives it to the client. when the client tries to send messages via the > websocket, it has to add the token to the message via > url/realtime/group/token. I still don't know how to implement this (if > that's what you're saying even means. > > A simple chat app implementing just this can help my understanding, I'm > only asking. But some further explanation will also do until I can > understand. > Thanks. > > >> On Tuesday, 14 July 2015 20:54:32 UTC-5, Samuel Sowah wrote: >>> >>> Can someone please explain how to use websocket_messaging.py properly >>> with tokens? >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
