Skip to content
Advertisement

How to properly refuse websocket upgrade request?

Sometimes I want to refuse a http client’s request to upgrade connection to websocket.


Code

(using go‘s Gin and gorilla/websocket framework:)

To allow upgrade:

c, err := ctl.upgrader.Upgrade(ctx.Writer, ctx.Request, nil)
err = c.WriteJSON(resp)

To refuse upgrade (due to invalid request params):

if contentId == "" || !exists {
    // FIXME: provide response in a way that ws client can recognize & show tip?
    ctx.String(http.StatusBadRequest, "invalid or non-existing contentId")
    return
}

Explaination: Here to refuse the upgrade I just return a http 400 code, then terminate the connection, and didn’t do the upgrade at all.


The issue

The problem to refuse websocket upgrade request with about code is that, the websocket client (e.g js), can’t read data (text or json) in my response.

Code – client-side (js):

ws.onerror = function (evt) {
    // TOOD: handle error, (e.g print error msg?),
    print("ERROR");
}

It does print the "ERROR" on refuse, but after checking chrome developer tool about the evt object, can’t find a way to get server response data, so I can’t show tip to frontend UI with reason of refuse.


Questions

  • How to refuse websocket upgrade request properly, and let client be able to receive the returned reason/data ? (e.g client is js, server is go / gin / gorilla/websocket).
  • Is there a better way to refuse websocket upgrade request, other than return http code like 400?

Advertisement

Answer

To reject a websocket connection, do not upgrade the connection as described in the question. The browser API does not provide information about why the connection was rejected because the information can violate the same-origin policy.

Do the following to send an error reason back to the client application or user:

  1. Upgrade the connection.
  2. Send a close message with the error reason.
  3. Close the connection.

Here’s an example:

c, err := ctl.upgrader.Upgrade(ctx.Writer, ctx.Request, nil)
if err != nil {
    // TODO: handle error
}
if contentId == "" || !exists {
    c.WriteMessage(websocket.CloseMessage,
         websocket.FormatCloseMessage(websocket.ClosePolicyViolation, 
         "bad content id or not exist"))
    c.Close()
    return
}
// Continue with non-error case here.

Access the reason from the close handler in JS:

ws.onclose = function (evt) {
    if (evt.code == 1008) {  // 1008 is policy violation
       console.log(evt.reason)
    }
}
Advertisement