sending current user with channels websocket

I’m using django channels, and I’d like to be able to send the current user with sent messages. However, doing something like having <input type="hidden" id="userId" value="{{user.id}}"> doesn’t sit well with me for security reasons. Could someone not just inspect their page and swap out the id for another user’s, assuming they had access to it? What other way might I do this?

Here’s my room.html body (which is planned for further development, this is just a minimally edited snippet from channel’s tutorial):

<body>
    <textarea id="chat-log" cols="100" rows="20" readonly></textarea><br>
    <input id="chat-message-input" type="text" size="100"><br>
    <input id="chat-message-submit" type="button" value="Send">
    {{ room_name|json_script:"room-name" }}
    <script>
        const roomName = JSON.parse(document.getElementById('room-name').textContent);
        var ws_scheme = window.location.protocol == "https:" ? "wss" : "ws";
        const chatSocket = new WebSocket(ws_scheme + '://' + window.location.host + '/ws/chat/' + roomName + '/');

        chatSocket.onmessage = function(e) {
            const data = JSON.parse(e.data);
            document.querySelector('#chat-log').value += (data.message + '\n');
        };

        chatSocket.onclose = function(e) {
            console.error('Chat socket closed unexpectedly');
        };

        document.querySelector('#chat-message-input').focus();
        document.querySelector('#chat-message-input').onkeyup = function(e) {
            if (e.keyCode === 13) {  // enter, return
                document.querySelector('#chat-message-submit').click();
            }
        };

        document.querySelector('#chat-message-submit').onclick = function(e) {
            const messageInputDom = document.querySelector('#chat-message-input');
            const message = messageInputDom.value;
            chatSocket.send(JSON.stringify({
                'message': message
            }));
            messageInputDom.value = '';
        };
    </script>
</body>

You don’t need to send it. The scope object, available in the consumer, contains the user object if you’ve got Authentication enabled.

Ken

1 Like

Thanks! Just found that out by reading deeper into the docs, which admittedly I should have done in the first place :sweat_smile:
I’m not used to good documentation :joy:
Link for people who may find this in the future: https://channels.readthedocs.io/en/latest/topics/authentication.html