You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2021/03/16 04:56:00 UTC

[jira] [Commented] (JAMES-3457) Support JMAP HTTP PUSH

    [ https://issues.apache.org/jira/browse/JAMES-3457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17302218#comment-17302218 ] 

Benoit Tellier commented on JAMES-3457:
---------------------------------------

While starting implementing the PUSH in our webMail we encountered the following difficulty:

JMAP needs HTTP headers to work: Authorization (for authentication) and Accept (to specify jmap version)
Using WebSocket API (https://developer.mozilla.org/en-US/docs/Web/API/WebSocket) we cannot send HTTP headers.
It is possible with node libraries (https://www.npmjs.com/package/ws, https://socket.io/) and with command-line clients (https://github.com/vi/websocat) but the aim of jmap-client-ts is to be used on web browsers (Firefox, Chrome, ...)
This post on StackOverflow (https://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api) explains it is not possible to pass headers with WebSocket API and proposes some alternatives.
In the JMAP WebSocket draft (https://tools.ietf.org/html/draft-ietf-jmap-websocket-07#section-4.1), there is no other way of authentication than the request initiating the WebSocket, so with HTTP headers.
This issue (https://github.com/whatwg/html/issues/3062) asks for support of HTTP headers for WebSocket on browsers, there is also a comment mentioning JMAP (https://github.com/whatwg/html/issues/3062#issuecomment-722021171)

Possible solutions:

 -  The WebSocket does not need authentication to be established, the content of the HTTP headers are instead sent on the first message by the client.

if no auth header is specified on the HTTP handshake, to expect an Authentication ballot as first message:

```
{ "@type": "Authorization", "Authorization":"Bearer GABOUZOMEUH" }

```

Some alternatives to this approach might be:

 -  The content of the HTTP headers are instead transmitted by query parameters though it is not very secure.

 -  The content of the HTTP headers are instead transmitted by the protocols list (this will set a header Sec-WebSocket-Protocol) though this is not what the header is intended to do.



> Support JMAP HTTP PUSH
> ----------------------
>
>                 Key: JAMES-3457
>                 URL: https://issues.apache.org/jira/browse/JAMES-3457
>             Project: James Server
>          Issue Type: Sub-task
>          Components: JMAP
>            Reporter: Benoit Tellier
>            Assignee: Antoine Duprat
>            Priority: Major
>
> https://github.com/iNPUTmice/jmap/issues/26
> That would be awesome to have James as one of the first implementors of the JMAP RFC-8620 Push mechanism.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org