Any changes in websocket handling since 3.10.6?

Umb

Hi - I use websockets to establish an internal chat service (like messenger) for my users but since I upgraded to 3.11.5 I've noticed that it doesn't authorise the ws connection anymore which I think is maybe due to a CORS issue - I see this in my logs :

04/11/2025 13:20:27

Error
node3 - Server aborted websocket request, websocket: request origin not allowed by Upgrader.CheckOrigin

the server is on localhost:54974 and the request comes from localhost:8001 - Has anything changed in the handling of websocket connections since 3.10.6? I'm not entirely convinced that it is actually the fault of the the server because R3-Toolshop is still connecting and working fine but I notice there are code changes there so I thought I'd better ask! As usual - any help or insight is greatly appreciated ;)

Cheers

gabriel

We rarely touch the websocket code, as its low level and quite stable. It is more likely in feature releases (such as 3.11), as these sometimes require new capabilities.

Before I start searching through all commits between 3.10.6 & 3.11.5, you have mentioned that you have seen relevant code changes - could you maybe point me to the ones you´ve seen?

I´ve checked and there was at least no update to the websocket library itself (Gorilla/Websocket) in the last feature release.

gabriel

I´ve had a look and besides a data field for session tracking and a new authentication option (OpenID), there was no structural change or configuration difference in our websocket handler between the named releases - at least nothing I could identify.

Umb

OK - so I think I've narrowed it down to ressource "auth" action "token"

This is what I'm sending (the token value is the one returned on a "auth", "user" call)
{
"TransactionNr": 8384128664754975,
"Requests": [
{
"Ressource": "auth",
"Action": "token",
"Payload": {
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJyMyBhcHBsaWNhdGlvbiIsInN1YiI6Im1lc3NhZ2luZyIsImV4cCI6MTc2MzAzMTU5MiwiaWF0IjoxNzYyNDI2NzkyLCJhZG1pbiI6dHJ1ZSwibG9naW5JZCI6MTc5LCJ0eXBlIjoibG9jYWwiLCJub0F1dGgiOmZhbHNlfQ.S7gTAZ5WIZiBVGtdl-11Lej4BuGkEzfVfsHYrr-fgTc"
}
}
]
}

Does that look right to you? The code has changed from :

`func LoginAuthToken(ctx context.Context, reqJson json.RawMessage, loginId *int64, admin *bool, noAuth *bool) (interface{}, error) {

var (
	err error
	req struct {
		Token string `json:"token"`
	}
	res struct {
		LoginId   int64  `json:"loginId"`
		LoginName string `json:"loginName"`
	}
)

if err := json.Unmarshal(reqJson, &req); err != nil {
	return nil, err
}

res.LoginName, _, err = login_auth.Token(ctx, req.Token, loginId, admin, noAuth)
if err != nil {
	return nil, err
}

res.LoginId = *loginId
return res, nil

func LoginAuthToken(ctx context.Context, reqJson json.RawMessage) (types.LoginAuthResult, error) { var req string if err := json.Unmarshal(reqJson, &req); err != nil { return types.LoginAuthResult{}, err } return login_auth.Token(ctx, req) }

The response I get is this :

{
"transactionNr": 8384128664754975,
"responses": [],
"error": "AUTH_ERROR"
}

Umb

OK - I think I've got it! In this your were trying to unmarshal JSON into a string which you can't do ... it must always be contain in a struct to allow unmarshalling so I changed this :

to this :

func LoginAuthToken(ctx context.Context, reqJson json.RawMessage) (types.LoginAuthResult, error) { var req struct { Token stringjson:"token"} if err := json.Unmarshal(reqJson, &req); err != nil { return types.LoginAuthResult{}, err } return login_auth.Token(ctx, req.Token) }

and it appears to work now :D

gabriel

Umb
Thank you for investigating and finding the cause of the issue.

The interface you point to does not require a struct - it only takes a string. A string is valid JSON, just like a single number or a null.

The relevant call in r3 just passes the token as string as the JSON payload:

authenticateByToken() {
	ws.send('auth','token',this.token,true).then(
		res => this.appEnable(res.payload.id,res.payload.name),
		err => this.handleError('authToken',err)
	);
	this.loading = true;
},

Most authentication in r3 occurs via token authentication. If this call were broken, r3 would not work for most people.

It is possible that we had a more complex JSON before (and therefore needed a struct as unmarshal target on the server). And then later simplified the interface, because we actually only need a single token string. I would have to go through many commits to confirm this, but this is something we do, when we work on or refactor the affected components.

This is the downside of working with the websocket handler directly. It is not a public API and if there are changes, you need to apply them as well on your end. In this case, you would have to change your token auth payload to not be a JSON object, but just the token string.

Umb

I think I will have to modify my approach - it breaks the auto-login feature and maybe others I'm not aware of ... yet !!! :D

Umb

Yep - that works perfectly now that I just send the string! I also noticed from my colour modifications that Vue was complaining a lot because I'd removed the extra bits it was trying to reference - so I put them all back in but simply added a few v-show="false" statements in the appropriate places and that fixed it .... I wonder if you could add an extra tickbox option for the colour fields in the builder view like "Show Text" which sets a boolean variable so v-show=var_name would give us the option of showing the text or not ... also (not to be picky 😆 ) but if read only is set could we have the X button hidden too because you can't click on it anyways.

Cheers for the insights & help Gabriel 😘

gabriel

Umb I wonder if you could add an extra tickbox option for the colour fields in the builder view like "Show Text" which sets a boolean variable so v-show=var_name would give us the option of showing the text or not ... also (not to be picky 😆 ) but if read only is set could we have the X button hidden too because you can't click on it anyways.

Sorry, still the same situation as before - we can barely add the stuff we really need to. Little time to add stuff that is not strictly necessary.

Umb Cheers for the insights & help Gabriel 😘

Thank you for putting in the leg work to find the cause!