Thursday, January 15, 2009

Chat Hacking

In a blog post by the same name on our (internal) bug tracking system, my colleague Danny describes our (thus far futile) efforts to create an unholy union between JWChat and a cgi script.  That's right, we're trying to do XMPP Chat via the web, which means we're trying to utilize something which implements XEP-0124 (BOSH).

The point is that we want outsiders to be able to talk to our people who are using the internal XMPP server.  Trouble is, the XMPP server requires local credentials to log in (LDAP), so we need them to log in via dummy accounts.  But, we don't want to just hand out the user/pass to those dummy accounts by putting them into the JavaScript source of a web-based chat client.  Hence, the madness begins.

One of our system administrators had the lovely idea of using a CGI script to initiate the connection, keeping our credentials server-side, over an http-bind proxy.  Then we'd hand the session data to our JavaScript client-side, again through the proxy, hopefull unbeknownst to the chat server.  

Yeah, it's not going so well.  As in, not at all.  For one thing, there are no existing libraries to implement XEP-0124 in Perl.  We can do regular socket connections, sure, but not BOSH.  So, we were faced with either using a library from another language (like JavaScript or C++) inside a Perl wrapper, or just "faking" the BOSH process by sending some pre-formatted XML over an LWP connection to the http-bind port.  

Well, that part actually worked (suprisingly enough), we can connect server side and get session info.  But as of right now, we can't inject that info into the JavaScript client side and have it pick up the ball, so to speak.  I think maybe the server somehow can tell that we've pulled a fast one on it, and it's not willing to talk to the client masquerading as the server.   Danny thinks we probably just haven't covered all of our bases in initializing the JavaScript chat engine.  We're proceeding under the assumption that he's right, and it's still possible to get this to work.

Only time will tell if this crazy scheme of ours can work.

2 comments:

Danny said...

For the record, I never said anything about the server not liking our bait-n-switch. I suspect its more us not setting up the library right. Or I guess it would be beating the library stupid.
I've contacted the developer of JSaC, I'm hoping he will have be amused enough to have some ideas.

Adam said...

I've updated the text to reflect that. Not sure if the JSJaC dev will respond in time (or take kindly to you calling his lib "J-Sack").