sio.wait() doesn't survive upgrade from http to https

[robotrapta]

My webserver (nginx) has the common config to 308 any http requests to https. If I call sio.connect() with an http (not https) URL, everything seems to work fine until my code gets to sio.wait() which after a couple seconds just returns without any error message or anything. But if I specify https manually in the endpoint, then the sio.wait() waits forever like I expect.

[miguelgrinberg]

Please review the troubleshooting section of the docs to learn how to generate logs. Then attach the logs showing the problem here.

[robotrapta]

Here's the failed log:

Attempting polling connection to http://dev.posichat.io/socket.io/?transport=polling&EIO=3
Polling connection accepted with {'sid': 'cfcebb0754894ec98ee2b478239f8fad', 'upgrades': ['websocket'], 'pingTimeout': 60000, 'pingInterval': 2000}
Engine.IO connection established
Received packet MESSAGE data 0
Namespace / is connected
Attempting WebSocket upgrade to ws://dev.posichat.io/socket.io/?transport=websocket&EIO=3
WebSocket upgrade failed: connection error
Sending packet PING data None
Sending polling GET request to http://dev.posichat.io/socket.io/?transport=polling&EIO=3&sid=cfcebb0754894ec98ee2b478239f8fad
Connected with sio.sid='cfcebb0754894ec98ee2b478239f8fad'
Unexpected status code 401 in server response, aborting
Exiting write loop task
Unexpected status code 401 in server response, aborting
Waiting for write loop task to end
Waiting for ping loop task to end
Exiting ping task
Exiting read loop task

So I'd guess it's because I'm authenticating with http-basic-auth using a custom header, and the Auth header isn't getting preserved. If I specify https to start with it works:

Attempting polling connection to https://dev.posichat.io/socket.io/?transport=polling&EIO=3
Polling connection accepted with {'sid': '1cd72eebab5447e5a30bf98f08f72060', 'upgrades': ['websocket'], 'pingTimeout': 60000, 'pingInterval': 2000}
Engine.IO connection established
Received packet MESSAGE data 0
Namespace / is connected
Attempting WebSocket upgrade to wss://dev.posichat.io/socket.io/?transport=websocket&EIO=3
WebSocket upgrade was successful
Sending packet PING data None
Connected with sio.sid='1cd72eebab5447e5a30bf98f08f72060'
Received packet NOOP data None
Received packet PONG data None
Sending packet PING data None
Received packet PONG data None
Sending packet PING data None
Received packet PONG data None

The code is extremely simple:

import os
import socketio

ENDPOINT = 'https://dev.posichat.io/'

sio = socketio.Client(logger=True, engineio_logger=True)

@sio.on('debugnum')
def got_debugnum(data):
    print(f"Got debugnum {data=}")

passwd = os.environ['HTTP_BASIC_AUTH']
sio.connect(ENDPOINT, headers={
    "Authorization": f"Basic {passwd}",
})

assert sio.sid, "Failed to connect"
print(f"Connected with {sio.sid=}")

sio.wait()

[miguelgrinberg]

So you are saying that you are passing a token or similar auth element on a non-encrypted connection? That is a terrible idea, you are exposing your tokens publicly.

Maybe there is something to improve in the Socket.IO client with regards to how redirects are handled, but you definitely do not want things to work in the way you seem to suggest.

[robotrapta]

Yes, I understand the described behavior represents a real security problem, and not how our system should ever actually behave. The tokens should not ever be sent over http, but I tracked down this bug when the endpoint URL was accidentally specified as http instead of https.