Parity-ethereum: Can't connect to Parity with websocket in the browser

The token check is just used for the UI. From what I understand you do not use the UI.
You do not need to generate or handle tokens if all you need is to do RPC calls to your node. Do you have anything not working as expected with your current configuration?

Thank you @Tbaut for getting back so quickly!

I was expecting that I could connect to the server running this piece of code in Chrome (after babeling it of course):

const Web3 = require('web3'); // tslint:disable-line

const PARITY_URL = 'wss://redacted.com'
const web3 = new Web3(PARITY_URL)

But this gives the following error:

index.js:67 WebSocket connection to 'wss://redacted.com/' failed: Error during WebSocket handshake: Unexpected response code: 403

On the server I get, as I said above the log message that access was denied because of invalid token:

2018-05-11 10:05:48 UTC Blocked connection from http://localhost:3000 using invalid token.

As I said in the headline, I would love to be able to tell parity to not check tokens but I do not know how to do that. I do not intend to use the GUI (but I have to run it to be able to run health checks against the UI in my load balancer in front of the parity instance on the server).

So I switched off the UI and use http://nodeip:8545/api/health for the health check. Still same issue.

To reiterate: I can run the following test successfully in node:

// blockchain.ts
const Web3 = require('web3'); // tslint:disable-line

const PARITY_URL = 'wss://redacted.com'
const web3 = new Web3(PARITY_URL)

export const getBalance = web3.eth.getBalance

// blockchain.spec.ts
import * as test from 'tape'
import { getBalance } from './blockchain'

test('It should get the correct balance for an ether address', async (t) => {
  t.plan(1)
  const balance = await getBalance('0x73bB910F8Aca4148Ba453F4c9AAD0c1a2c85a81b')
  t.equal(balance, '3427292890000000000')
})

When I load blockchain.ts in the browser, I get aforementioned error because parity denies access without a "valid token". I excpect the library to function in the browser too.

Where are these tokens documented anyhow?

I still would love to turn off this check. As I am saying, I meanwhile switched of the UI in the hopes that this would also drop this check. My config for parity now looks like this:

services:
  ethereum:
    image: parity/parity:v1.11.0
    ports:
      - 30303:30303
    command: > 
               --ws-interface all
               --jsonrpc-interface all
               --base-path /root/parity
               --no-ancient-blocks
               --no-serve-light
               --max-peers 250
               --snapshot-peers 50
               --min-peers 50
               --mode active
               --tracing off
               --pruning fast
               --no-ui
               --db-compaction ssd
               --cache-size 4096
               --ws-origins http://localhost:3000
               --ws-hosts https://redacted.com

The token has nothing to do with your problem. What you want to do should work without bothering with the UI.
You must have a problem with your configuration (your flags). Let's start easy and unsecure with --ws-origins all --ws-hosts all --jsonrpc-interface all --jsonrpc-cors all as well as

if (typeof web3 !== 'undefined') {
  web3 = new Web3(web3.currentProvider);
} else {
  // set the provider you want from Web3.providers
  web3 = new Web3(new Web3.providers.HttpProvider("http://localhost:8545"));
}

in your code instead of const PARITY_URL = 'wss://redacted.com' and see if it works. If it does then start replacing with your IP and domains and see where things go south.

The above works if I replace parity with geth. This is not an issue with configuration or my javascript. As I am saying: When I load my code in the browser, I get the following error locally in chrome:

index.js:67 WebSocket connection to 'wss://redacted.com/' failed: Error during WebSocket handshake: Unexpected response code: 403

at the same time I get the following log on the server:

2018-05-11 10:05:48 UTC Blocked connection from http://localhost:3000 using invalid token.

The server sends back a 403!

As I said, I meanwhile replaced the server part with geth, and everything works fine.

Also to note: The server only sends the 403 when the request comes from the browser (aka "contains headers"). When the request comes from node, the server responds fine and the websocket connection is established.

Geth and parity are different as you can see :) Something that works on one might not work on the other out of the box. We have Dapps running in a browser that do not require tokens. Please consider testing with the flags I suggested. We might find bugs/problems along the way, but we first need to make it work right?

Feeling a bit like a schoolboy beeing pushed around, but I set up parity locally and used the http provider instead of the websocket provider: It works.

But that is not at all what I want. I want a websocket provider. So I took the liberty to change things a bit:

# docker-compose.yml
version: "3.3"
services:
  parity:
    image: parity/parity:v1.11.0
    ports:
      - 8546:8546
      - 8545:8545
    command: >
               --ws-origins all
               --ws-hosts all
               --ws-interface all
               --jsonrpc-interface all
               --jsonrpc-cors all
    volumes:
      - parity:/root/parity
volumes:
  parity:
    external:
      name: parity

// blockchain.ts
const Web3 = require('web3') // tslint:disable-line

const PARITY_URL = 'ws://localhost:8546'

let web3: any

if (typeof web3 !== 'undefined') {
  web3 = new Web3(web3.currentProvider)
} else {
  // set the provider you want from Web3.providers
  web3 = new Web3(new Web3.providers.WebsocketProvider(PARITY_URL))
}

export const getBalance = (address: string) => web3.eth.getBalance(address)

No I locally get again in Chrome

WebSocket connection to 'ws://localhost:8546/' failed: Error during WebSocket handshake: Unexpected response code: 403

and in the local docker logs for the parity node I get at the same moment

2018-05-15 06:46:13 UTC Blocked connection from http://localhost:3000 using invalid token.

So I am able to locally reproduce the issue I have. With the above you or anyone else should be too.

Now please let us talk about what this token should look like and why parity is checking for it.

hmm I tried the same setup with another script, no problem:

using:

var Web3 = require('web3');
var web3 = new Web3("ws://localhost:8546"); // same output as with option below
var web3 = new Web3(new Web3.providers.WebsocketProvider('ws://localhost:8546'));
web3.eth.getAccounts(console.log);
console.log("Hello World");

result:

$ node ws.test 
Hello World
null [ '0x00a329c0648769A73afAc7F9381E08FB43dBEA72' ]

launching parity in a docker:
docker run --rm -ti --name parity -p 8545:8545 -p 30303:30303 -p 8546:8546 parity/parity:1.11.0 --ws-interface all --jsonrpc-interface all --ws-origins all --chain dev

Thanks for taking the time to followo up. You are running your test in node. This is not what I am talking about. The problem arises when running the code in the browser. Most possibly because when you run it from node, no headers will be sent with the requests. Please produce an example that works when the javascript code is executed in the browser.

Also please see https://github.com/paritytech/parity/issues/8603#issuecomment-388618714:

To reiterate: I can run the following test successfully in node:
[...]
When I load blockchain.ts in the browser, I get aforementioned error because parity denies access without a "valid token".

It's a bug in the latest [email protected] reported https://github.com/ethereum/web3.js/issues/1559, using the beta33 works as expected.
Thanks a lot @amaurymartiny for the precious help.

To reproduce with a working [email protected]:
git clone https://github.com/amaurymartiny/simple-web3
cd ./simple-web3
yarn install
yarn start
Visit http://localhost:8080/

Cool. I will give it a spin tomorrow. Thanks for looking so deeply into it!

One further remark: As I said, it worked fine when I used geth as the backend. So either parity is checking this header for no reason (wasting cpu cycles) or geth has a security vulnerability. So for me one of the two has a bug here.

In the issue linked above:

the request headers we have value of Sec-WebSocket-Protocol: undefined which gets handled badly on the node since it's undefined.

Sure Parity could ignore it, but I don't think it's the right thing to do. I'll close the issue for now.

thanks @Levino downgrading web3 to beta 33 worked for me using infura ropsten web socket . however parity still does not work for me

i am booting my parity using
parity --chain ropsten --unsafe-expose --password password.file --jsonrpc-apis all --jsonrpc-interface all --jsonrpc-cors all --ws-port 8546 --ws-interface all --ws-origins all --ws-hosts all --rpccorsdomain "*"

Dear @acidfreako, please file a new issue. This one here has been closed. Also please take some time to produce a more detailed and specific issue report. More specifically you should answer the following two questions: "What did you expect?" "What happened instead?"