Websocket Error handling

Louguel · August 31, 2023, 10:37am

Good morning, please I have implemented a websocket in my django app where the websocket url has a u_id , however if the websocket fails the browser console display the url with the uid which is a security concern. Please I need your helps on how to handle or customize the error so that I will able to display my own custom message error in the browser console.

here is my views.py

   @staticmethod
    def random_qr_code(request):
        context = {}
        request_url = get_current_host(request)
        u_id = str(uuid.uuid4()).replace('-', "")
        u_id = u_id[:7].upper()
        octal_str = get_encoded_data()
        image = octal_qr_code(octal_str)
        CrossAuth.objects.create(token=u_id, seed=octal_str)
        url = f"ws://{request_url}/ws/auth_qr_code/{u_id}/"

        context["image_url"] = image
        context["url"] = url
        context["secret_key"] = octal_str
        return context

htm file

<script>
  const socket = new WebSocket("{{ url }}");
  let timer = null;
  socket.onopen = () => {};
  socket.onmessage = function (evt) {
    console.log(evt["data"]);
    document.getElementById("success_message").innerHTML = evt["data"];

    window.location.href =
      "{{ request.scheme }}://{{ request.get_host }}/success_mobile/";
  };

  socket.onclose = socket.onerror = () => {};

</script>

here is the error from the browser

In this you can see the websocket displays the UUID and I want to remove it.
Note: I have tried to avoid passing the UUID to the url it works fine, however I need to maintain the uid in the url to avoid any prod issue.

Thank you for your helps and valuable time.

addwebsolution · August 31, 2023, 11:06am

You are seeing this UUID in console because your connection failed to websocket, if you think that just by hiding it from console you are securing your UUID then it is not the case because network tab have all the things what requests and responses you are getting with which or what kind of url.
If UUID is that important that it should not have to be violated publicly than you can use something else like slug.

Louguel · August 31, 2023, 1:01pm

Thank you @addwebsolution I will try that and see

KenWhitesell · August 31, 2023, 3:55pm

This is now the second time that you’ve made mention of information being available in the browser’s developer tools as being “a security concern”.

It is not.

I don’t know where you’re getting this impression or what is making you think of this, but somewhere along the line you’ve gotten a wrong idea about how the http protocol works or how browsers work.

From the perspective of the server, everything being sent to the browser is insecure once it has reached the browser. The browser is a completely uncontrolled and uncontrollable environment.

I suggest you do some more research about this to gain a better understanding of how the web works.

Topic		Replies	Views
Receive server response in templates Using Django	8	1273	July 26, 2021
render_to_string async Async/Channels	2	711	March 27, 2023
How to handle the case when positional arguments are not provided in the URL? Using Django	3	478	December 28, 2020
How to encode/decode string using django.utils.http Forms & APIs	11	5639	June 28, 2022
Custom error reports. Using Django	3	558	August 8, 2021

Websocket Error handling

Related Topics