You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ideally, I'd like to use the CSRFMiddleware on a websocket route. But at present, the CSRFMiddleware makes hits an assertion error whenever the websocket route is accessed:
Failed: Added my websocket route to exempt_urls -- think the error happens before this is every applied
Failed: Added my websocket route to required_urls -- I hoped that maybe the initial HTTP connection that gets upgrade would pass thru
Tried replacing request = Request(scope) with request = WebSocket(scope, receive=receive, send=send) if scope["type"] == "websocket" else Request(scope), but still occurred
Current workaround
I wrap CSRFMiddleware and only pass HTTP requests into it. This is suboptimal because I would like to enforce CSRF protection for my websocket route.
from starlette_csrf.middleware import CSRFMiddleware as _CSRFMiddleware
class CSRFMiddleware(_CSRFMiddleware):
async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
# type="websocket" will raise an exception at present
if scope["type"] == "http":
await super().__call__(scope, receive, send)
else:
await self.app(scope, receive, send)
Partial test case
I tried to document the error in a testcase, but using the httpx client does not expose the .websocket_connect() that starlette's testclient exposes. So this code does not yet fully work
Ideally, I'd like to use the CSRFMiddleware on a websocket route. But at present, the CSRFMiddleware makes hits an assertion error whenever the websocket route is accessed:
Error
Attempted solutions
exempt_urls
-- think the error happens before this is every appliedrequired_urls
-- I hoped that maybe the initial HTTP connection that gets upgrade would pass thrurequest = Request(scope)
withrequest = WebSocket(scope, receive=receive, send=send) if scope["type"] == "websocket" else Request(scope)
, but still occurredCurrent workaround
I wrap CSRFMiddleware and only pass HTTP requests into it. This is suboptimal because I would like to enforce CSRF protection for my websocket route.
Partial test case
I tried to document the error in a testcase, but using the httpx client does not expose the
.websocket_connect()
that starlette's testclient exposes. So this code does not yet fully workHappy to try to help with some pointers.
Upvote & Fund
The text was updated successfully, but these errors were encountered: