These are chat archives for fanout/pushpin

9th
Jul 2018
Justin Karneges
@jkarneges
Jul 09 2018 16:56
hi @tHeMaskedMan981_gitlab , make sure the client connects through pushpin. a common mistake is to connect directly to your django app which won't be able to keep the connection open on its own
Adam McElwee
@acmcelwee
Jul 09 2018 19:41
@jkarneges am I right in interpreting that the Grip-Sig headers aren't regenerated again for keep-alive requests to the backend?
Adam McElwee
@acmcelwee
Jul 09 2018 20:24
I guess I should also ask if Grip-Sig is the best way for us to ensure the request to our backend is from the pushpin proxy.
via websockets over http as the protocol
Basically, we're seeing grip-sig validation fail, and when we dig in on all of them, the jwt expiry is the issue.
so, we're just trying to track down why those grip-sig header contents would be expired
keep-alive-interval is set to 20 seconds on the initial response
Justin Karneges
@jkarneges
Jul 09 2018 20:54
@acmcelwee good catch. it seems they are not regenerated. I'd say that's a bug
Adam McElwee
@acmcelwee
Jul 09 2018 20:54
:thumbsup:
Let me look at it and see if it's easy enough for me to submit a PR.
Otherwise, I'll open up an issue.
Justin Karneges
@jkarneges
Jul 09 2018 22:41
@acmcelwee thanks for filing the issue. I was thinking about it, and it is a little challenging since the sig is calculated at a different layer. will try to get to it soon
Adam McElwee
@acmcelwee
Jul 09 2018 22:42
Yeah, that's what I determined. I spent about 30 minutes acquainting myself w/ the flow of things and ultimately decided it's not a straightforward change for me to propose at the moment.
Justin Karneges
@jkarneges
Jul 09 2018 22:42
in the meantime, I thought of a workaround which may not be too difficult to do: use websocket-over-http meta to set a secret value, and look for that on subsequent requests
if meta value present and correct, consider the request safe. else, check grip-sig
Adam McElwee
@acmcelwee
Jul 09 2018 22:43
yeah, we discussed basically creating our own sig of the headers that we set on the session
and potentially skipping grip-sig altogether
Justin Karneges
@jkarneges
Jul 09 2018 23:41
another way is to use the header param on the route. forgot to document this until now https://pushpin.org/docs/configuration/#condition-parameters
could just set it to some static known secret
Adam McElwee
@acmcelwee
Jul 09 2018 23:42
Ahh, that would probably actually be sufficient for our use case.
We don't have any tiered pushpin architecture in place.
So, I think that's perfect for us.
thanks