fanout / django-grip Goto Github PK
View Code? Open in Web Editor NEWDjango GRIP library
License: MIT License
Django GRIP library
License: MIT License
There are two vulnerabilities reported by Snyk in [email protected]
which is an indirect dependency in my case because [email protected]
requires it.
I've checked the Werkzeug releases, and it is the last release in the 2.*.*
before the 3.*.*
started. The fix is in the version 3.0.1
.
Apparently, the django-grip
setup.py file explicitly specifies that the required version of Werkzeug should be < version 3.*
('Werkzeug>=1.0,<3'
)
Pin [email protected] to [email protected] to fix
✗ Inefficient Algorithmic Complexity (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6035177] in [email protected]
introduced by [email protected] > [email protected] > [email protected]
✗ Denial of Service (DoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6041510] in [email protected]
introduced by [email protected] > [email protected] > [email protected]
Is django-grip
ready to update the Werkzeug dependency to 3.0.1
?
Duplicate 'POST /publish' request are sent when using websocket over HTTP
Environment:
Django(2.0.7)
python manage.py runserver 9000
Pushpin
pushpin --route="* localhost:9000,over_http"
In Django APP's URL.py:
url(r'^socket/test_userb$', views.test_userb, name='test_userb'),
url(r'^socket/sendto_b$', views.sendto_b, name='sendto_b'),
In Django APP's views.py:
@websocket_only
def test_userb(request):
ws = request.wscontext
# if this is a new connection, accept it and subscribe it to a channel
if ws.is_opening():
ws.accept()
ws.subscribe('user_b')
......
def sendto_b(request):
sendContent = WebSocketMessageFormat('sendto_b\n')
print(sendContent.content)
publish('user_b', sendContent)
return HttpResponse('Ok\n')
In client code:
function sendToB() {
var xhr = new XMLHttpRequest();
xhr.open('GET', "http://localhost:7999/users/socket/sendto_b");
xhr.send();
.....
}
HTTP Packets:
client to Pushpin:
GET /users/socket/sendto_b HTTP/1.1
Host: localhost:7999
Connection: keep-alive
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Pushpin to Django:
GET /users/socket/sendto_b HTTP/1.1
Host: localhost:7999
Accept-Encoding: deflate, gzip
Accept: */*
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Grip-Sig: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MzIwMTYyNjcsImlzcyI6InB1c2hwaW4ifQ.NK6DkhmE6XY2B1P5Dt-hLNyBytY6Y_6CIPNpM8Gspfc
Grip-Feature: status, session, link:next, filter:skip-self, filter:skip-users, filter:require-sub, filter:build-id
(Two Accept(200 OK) packets omitted)
First publish:
TCP port 62008 -> port 5561
POST /publish/ HTTP/1.1
{"items": [{"ws-message": {"content": "sendto_b\n"}, "channel": "user_b"}]}
Second publish:
TCP port 62010 -> port 5561
POST /publish/ HTTP/1.1
{"items": [{"ws-message": {"content": "sendto_b\n"}, "channel": "user_b"}]}
Log Output from Django server:
Performing system checks...
System check identified no issues (0 silenced).
July 19, 2018 - 15:30:21
Django version 2.0.7, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:9000/
Quit the server with CONTROL-C.
sendto_b
[19/Jul/2018 15:30:38] "GET /users/socket/sendto_b HTTP/1.1" 200 3
And client received two pushes.
it seems that newer versions of urllib3 will break the library as it uses method_whitelist
which is removed in version 2.0.0 and above of urllib3
got an unexpected keyword argument 'method_whitelist'
Workaround was to use lower version 1.27 below of urllib3.
my views.py
`def echo(request):
ws = request.wscontext
if ws.is_opening():
ws.accept()
ws.subscribe('room')
while ws.can_recv():
message = ws.recv()
if message is None:
ws.close()
break
ws.send(message)`
When I send a string to the channel "абв"
Getting an error:
Internal Server Error: /pushpin/echo/ Traceback (most recent call last): File "/Users/folt/Documents/env/api_server/lib/python3.5/site-packages/django/core/handlers/exception.py", line 42, in inner response = get_response(request) File "/Users/folt/Documents/env/api_server/lib/python3.5/site-packages/django/core/handlers/base.py", line 187, in _get_response response = self.process_exception_by_middleware(e, request) File "/Users/folt/Documents/env/api_server/lib/python3.5/site-packages/django/core/handlers/base.py", line 185, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/Users/folt/Documents/env/api_server/lib/python3.5/site-packages/django_grip.py", line 190, in wrapped_view response = view_func(*args, **kwargs) File "/Users/folt/Documents/Working/api_server/api_server/apps/api_v1/app_pushpin/views.py", line 69, in echo message = ws.recv() File "/Users/folt/Documents/env/api_server/lib/python3.5/site-packages/django_grip.py", line 142, in recv raise IOError('client disconnected unexpectedly') OSError: client disconnected unexpectedly [21/Mar/2017 13:33:32] "POST /pushpin/echo/ HTTP/1.1" 500 69632
I think I misunderstand something. I've been studying the WebSocket echo service example in the README. What I see is a loop that waits to receive a message and then echoes that back to the client. Normally I deploy using nginx and uwsgi but this seems like it would tie up one of my workers. If the websocket server implementation is busy waiting on the next message, how do other workers service requests?
How does this work with pushpin? If that's a necessary part of the story, it isn't clear from the README.
Maybe I'm misunderstanding the GRIP protocol but I thought it would breakdown the busy-waiting server implementation into a series of http request/replies.
Seems to be 2 errors on lines
I suppose that wscontext.meta
and wscontext.orig_meta
are dictionaries.
Iterating over it should be done using six.iteritems(wscontext.meta)
or wscontext.meta.items()
Otherwise now I'm getting the error Error: too many values to unpack
Hi,
I am trying to open a websocket using pushpin in django. I am getting the following error.
route file is
* 127.0.0.1:8000,over_http
I have started the pushpin proxy server, installed django grip, configured the settings file.
i have copied the example websocket view code in readme which is:
@websocket_only
def echo(request):
print(request)
# since we used the decorator, this will always be a non-None value
ws = request.wscontext
# if this is a new connection, accept it and subscribe it to a channel
if ws.is_opening():
ws.accept()
ws.subscribe('test')
# here we loop over any messages
while ws.can_recv():
message = ws.recv()
# if return value is None, then the connection is closed
if message is None:
ws.close()
break
# echo the message
ws.send(message)
my url config to the view is
url(r'^socket/$', echo, name="socket"),
This urlconf is included in the root urlconf for the regex starting with 'users/'
In the client side, i use an example websocket connection opening code
<script type="text/javascript">
function WebSocketTest() {
if ("WebSocket" in window) {
alert("WebSocket is supported by your Browser!");
// Let us open a web socket
var ws = new WebSocket("ws://127.0.0.1:7999/users/socket");
ws.onopen = function () {
// Web Socket is connected, send data using send()
alert("Message is sent...");
};
ws.onmessage = function (evt) {
var received_msg = evt.data;
alert("Message is received...");
};
ws.onclose = function () {
// websocket is closed.
alert("Connection is closed...");
};
}
else {
// The browser doesn't support WebSocket
alert("WebSocket NOT supported by your Browser!");
}
}
</script>
<div id="sse">
<a href="javascript:WebSocketTest()">Run WebSocket</a>
</div>
clicking on the run websocket on the browser shows the first alert that browser supports websocket and then it shows the alert that the websocket connection is closed.
The local django dev server shows the following in the terminal:
[26/Dec/2015 16:56:17] "POST /users/socket HTTP/1.1" 500 81431
Could you help me figure out where I am going wrong ?
Thanks and regards,
Andy
I'm trying to use django-grip
(as a dependency of django-eventstream) in the same project as tensorflow
(which indirectly depends on Werkzeug>=1.0.1
. I've taken a look at the code and the newer versions of Werkzeug should be compatible up to Werkzeug 2.10, at which point the "The multiple
parameter of parse_options_header
is deprecated.".
https://werkzeug.palletsprojects.com/en/2.1.x/changes/#version-2-1-0
Would it be possible to change setup.py to specify Werkzeug<2.1
instead of the current Werkzeug<1
? I can submit a PR if you prefer.
Thanks!
It is unclear whether set_hold_stream
is applicable to WebSockets.
I am trying to enable keep-alives for a WebSocket by doing this:
django_grip.set_hold_stream(request, [], keep_alive_timeout=30, keep_alive_data="somestring")
In Pushpin log (running at --log-level 10
), I see no relevant mentions of keep-alives (there are some apparently unrelated keep-alives with ttl of 60).
I use wscat
CLI client for testing, and no keep-alive messages (I would expect "somestring") arrive there, and also the WebSocket itself gets terminated in 50s (which is the timeout configured in HAProxy, behind which Pushpin runs).
I plan to run packet capture of traffic between django app and pushpin tomorrow.
openning websocket fails in Django(2.0.7)
Settings:
Django + django-grip
Start Django backend server
python manage.py runserver 9000
pushpin --route="* localhost:9000"
curl -i -H 'Content-Type: application/websocket-events' -d OPEN$'\r'$'\n' http://127.0.0.1:7999/users/socket/
HTTP/1.1 200 OK
Date: Tue, 17 Jul 2018 20:31:20 GMT
Server: WSGIServer/0.2 CPython/3.6.3
Content-Type: application/websocket-events
Sec-WebSocket-Extensions: grip
X-Frame-Options: SAMEORIGIN
Content-Length: 59
OPEN
TEXT 2a
c:{"channel": "test", "type": "subscribe"}
<script type = "text/javascript">
function WebSocketTest() {
console.log("before open");
var ws = new WebSocket("ws://127.0.0.1:7999/users/socket/");
/////// Code fails right here in the above line
}
</script>
By capturing HTTP packets, I can see client requests:
TCP port 62775 -> TCP port 7999
GET ws://127.0.0.1:7999/users/socket/ HTTP/1.1
Host: 127.0.0.1:7999
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: file://
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Sec-WebSocket-Key: A7FIs1KWY/tVejJrSGFyDg==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
pushpin forward the request packet as:
TCP port 62777 -> 9000
GET ws://127.0.0.1:7999/users/socket/ HTTP/1.1
Host: 127.0.0.1:7999
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: file://
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Grip-Sig: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MzE4NjM5OTAsImlzcyI6InB1c2hwaW4ifQ.J-D-qfx93Isn9tQejtik4xWLcnLxDQZVIHlX9yjhh1c
Grip-Feature: status, session, link:next, filter:skip-self, filter:skip-users, filter:require-sub, filter:build-id
Sec-WebSocket-Extensions: grip
Sec-WebSocket-Key: LEbAmwodtjDsXPaUR6Orjw==
the Django server responds with:
HTTP/1.1 400 Bad Request
Date: Tue, 17 Jul 2018 20:27:51 GMT
Server: WSGIServer/0.2 CPython/3.6.3
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 39
Request must contain WebSocket events.
Sample usage is confusing
I'm trying to use pushpin in my app. I use websocket(instead of HTTP streaming) as transports.
But the README and the documentation is quite confusing(allow me to use such harsh words).
I have several questions:
In your README, what is the two code snippets in 'Example view:' supposed to run against? Are they supposed to run in Django? If so, what directory should they be placed into?
I managed to figure out the set up.
I noticed that your documentation(https://pushpin.org/docs/usage/#transports) mentioned that "WebSocket-over-HTTP" should be preferred.
My question is: If websocket is mocked by HTTP, then why bother using websocket at all(I mean, why not using pure HTTP instead)? I do not get the rational of it.
Do you have a front end plus backend demo for websocket + pushpin?
I noticed that in you code, only HTTP request method 'POST' is processed(e.g. https://github.com/fanout/headline/blob/master/headlineapp/views.py). From my understanding, it seems that you discourage HTTP request method 'GET'. If so, how should the backend respond to such a client request below?
var chatSocket = new WebSocket(
'ws://' + window.location.host +
'/ws/chat/' + roomName + '/');
From my understanding, the above code sends an HTTP request 'GET'(see below), but it seems that 'GET' is discouraged, which is quite confusing to me.(I combed through your documentation but it is not addressed in your documentation. And honestly, your documentation is too brief to be friendly to newcomers of your product(sorry to be so blunt)).
GET /ws/chat/aaaa/ HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /ws/chat/aaaa/ HTTP/1.1\r\n]
[GET /ws/chat/aaaa/ HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /ws/chat/aaaa/
Request Version: HTTP/1.1
Host: localhost:8000\r\n
Connection: Upgrade\r\n
Pragma: no-cache\r\n
Cache-Control: no-cache\r\n
Upgrade: websocket\r\n
Origin: http://localhost:8000\r\n
Sec-WebSocket-Version: 13\r\n
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.